Can I use self-signed client certificates to access ANY secure site?

Wed, 15 Jul 2009 10:19:54 -0700 

Hi All,

I am absolutely new to this world of SSL, as will be evident from my
confusions and questions.

I am trying to write a client that will securely connect to N web
servers every T seconds, and retrieve a document: info.txt.

To test it, I wrote the following code (borrowed from:
http://www.ibm.com/developerworks/linux/library/l-openssl.html). I
then generated a self-signed certificate. I ran the code, trying to
connect to a secure site. And it was successful.

My questions are:
1) Can this approach be used to retrieve documents from ANY secure
server, ALWAYS?
2) Does the server need to be configured for this?
3) Is it common to have servers configured thus, without any security hazard?

I generated the self-signed certificate using the following command:
openssl req -x509 -nodes -days 10 -newkey rsa:1024 -keyout mycert.pem
-out mycert.pem

Here is the main part of the code:
    SSL_library_init();
    ERR_load_BIO_strings();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();

    ctx = SSL_CTX_new(SSLv23_client_method());  /* Set up the SSL context */
    if (!ctx) {
        perror(NULL);
        return 0;
    }

    if(! SSL_CTX_load_verify_locations(ctx, "mycert.pem", NULL))  {
 /* Load the trust store */
        fprintf(stderr, "Error loading trust store\n");
        ERR_print_errors_fp(stderr);
        SSL_CTX_free(ctx);
        return 0;
    }

    bio = BIO_new_ssl_connect(ctx);   /* Setup the connection */

    /* Set the SSL_MODE_AUTO_RETRY flag */
    BIO_get_ssl(bio, & ssl);
    SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);

    BIO_set_conn_hostname(bio, "www.dcu.org:443");   /* Create and
setup the connection */
    if(BIO_do_connect(bio) <= 0) {
        fprintf(stderr, "Error attempting to connect\n");
        ERR_print_errors_fp(stderr);
        BIO_free_all(bio);
        SSL_CTX_free(ctx);
        return 0;
    }

    if(SSL_get_verify_result(ssl) != X509_V_OK)  {      /* Check the
certificate */
        fprintf(stderr, "Certificate verification error: %i\n",
SSL_get_verify_result(ssl));
        BIO_free_all(bio);
        SSL_CTX_free(ctx);
        return 0;
    }

    BIO_write(bio, request, strlen(request));        /* Send the request */
    for(;;) {
        p = BIO_read(bio, r, 1023);    /* Read in the response */d
        if(p <= 0) break;
        r[p] = 0;
        printf("%s", r);
    }

     BIO_free_all(bio);
    SSL_CTX_free(ctx);
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to