sorry! I mean BIO_do_connect() this function automatically checks the client verificate, so I need to overwrite the verifiction callback BIO_do_connect uses
thx On Thu, Sep 24, 2009 at 5:13 PM, Michael Prinzinger <tay...@gmail.com>wrote: > Thank You very much Victor, > > I think I understand now how it can be done. > If you could give me one last pointer, how to overwrite the verification > callback function, > that is called when executing "BIO_do_handshake", I'd be very grateful. > > sorry for using misguiding vocanulary :) > > Michael > > > On Thu, Sep 24, 2009 at 5:08 PM, Victor Duchovni < > victor.ducho...@morganstanley.com> wrote: > >> On Thu, Sep 24, 2009 at 04:23:03PM +0200, Michael Prinzinger wrote: >> >> > > Are you saying that the accepting system expects X.509 client >> credentials >> > > from the connecting system, but that the payload (encrypted to the >> > > receiving node's public key) also contains the same certificate, and >> > > you want to check that the peer client matches the encrypted request? >> > >> > Yes. >> > >> > > If so, trust chain verification is completely irrelevant here. You >> > > don't need to repeat the handshake, rather implement a verification >> > > callback that accepts untrusted certificates (X.509 trust anchors seem >> > > inapplicable in this context) and compares them (via the public key >> > > fingerprint) to the designated certificate in the message payload. >> > >> > Yes, this would do what I want. >> > I would have to call BIO_do_handshake with a customized verification >> call >> > back, that decrypts the payload, reads the certificate and compares them >> > to the one offered by the client? >> >> No, your verification callback just always succeeds, allowing invalid >> trust chains, expired certificates, ... to be used. After the handshake, >> when you receive and decrypt the payload, you compare the enclosed peer >> certificate (public key fingerprint) with the peer certificate (public >> key fingerprint) from the SSL session. >> >> > Since there are no central trust authorities withtin the context of this >> > protocol, I can only directly verify a certificate, resp. some message >> > signed with the corresponding private key. >> >> "Verify" is the wrong term here. It suggests X.509 PKI hierarchies and all >> that jazz. You just want to validate the peer's client cert against the >> message routing data in the payload. >> >> > > If you want something else, you must explain it in a lot more detail. >> > > >> > > Note, your problem is understanding the crypto protocol design, not >> > > OpenSSL. You are using this list to get help with X.509 and >> cryptography, >> > > not really the OpenSSL API, so we are somewhat outside the list >> charter, >> > > but such questions are relatively common here... >> > >> > Thank you for helping anyways. >> > If you know a good resource that explains X.509 infrastructure, I'd be >> glad >> > to read it. >> >> Actively avoid reading anything about X.509 infrastructure. Reading a >> decent applied cryptography book + a decent book general about SSL/TLS >> would be better (skipping the parts that deal with X.509 >> "infrastructure"). >> >> -- >> Viktor. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
