On Thu, Sep 24, 2009 at 12:00:05AM +0200, Michael Prinzinger wrote:
> > "Certificates" are useless without corresponding signed messages. What
> > messages are signed by the private key of the "previous" node, that the
> > current node can forward to the next?
> >
>
> I only want to verify that the previous node is the node it is supposed to
> be. After decrypting the setup package I have the certificate (and ip) od the
> correct previous node.
You need to explain your terminology much more precisely.
Are you saying that the accepting system expects X.509 client credentials
from the connecting system, but that the payload (encrypted to the
receiving node's public key) also contains the same certificate, and
you want to check that the peer client matches the encrypted request?
If so, trust chain verification is completely irrelevant here. You
don't need to repeat the handshake, rather implement a verification
callback that accepts untrusted certificates (X.509 trust anchors seem
inapplicable in this context) and compares them (via the public key
fingerprint) to the designated certificate in the message payload.
If you want something else, you must explain it in a lot more detail.
Note, your problem is understanding the crypto protocol design, not
OpenSSL. You are using this list to get help with X.509 and cryptography,
not really the OpenSSL API, so we are somewhat outside the list charter,
but such questions are relatively common here...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
