I would like to post a general observation regarding users of the OpenSSL toolkit.
A number of the questions hitting this list, are somewhat detailed, and sometimes deal with interesting corner cases regarding the use of the toolkit. However, a large number of questions hitting this list have to do with what I call "normal use-cases" of the toolkit, such as verifying certificates, loading certificates, "How do I use OCSP to verify certs?", "How do I this or that type of encryption (AES, ECC, etc.)?" There are also lots of APIs into the OpenSSL toolkit, such as the "d2i" routines, that produce questions time and again on the list. From the length of some of the threads I've read in the past, a number of developers seem to be burning a lot of development hours "guessing" at how functions are supposed to work After a cursory examination of the online documentation at www.openssl.org, it appears that a number of the links (I think most all of them) say INCOMPLETE. When I purchased my copy of the OpenSSL O'Reilly book (a good purchase) back in 2003, the links were all INCOMPLETE as well. I think it would behoove the OpenSSL community at large, for the OpenSSL team to pause here at the 1.0 release and spend some quality time on documenting the APi calls with rationale, use-cases, examples, constraints, etc. For example, there have been updates to the docs fairly recently, in that the SSL APi links seem to include PSK functionality, which is relatively new. However, the PSK API doc links only document the specific function - there's no use-case documentation for the typical TLS-PSK use-case wherein the individual API calls would be utilized. The documentation links that ARE functional and that return documentation on some of the APIs are probably good enough, but they should be probably be reviewed for accuracy. But in addition to per-API functionality, there should be some "order of operations" as to how the APIs were intended to be used. Like, for TLS PSK, "do this", then "do this". In other words, plenty of use-cases and examples I think would definitely reduce the list traffic on the list and accelerate "typical" use-case development. in my opinion, completing work on robust documentation would be of much higher value than adding any new post 1.0 functionality that probably wouldn't be (initially) documented either. Thanks!! Randy On Nov 23, 2009, at 6:14 AM, Tim Ward wrote: > Now solved. You iterate round the STACK_OF(X509) and add them one at a time > with > > SSL_CTX_add_extra_chain_cert > > Tim Ward - Brett Ward Limited - 07801 703 600 > www.brettward.co.uk > ----- Original Message ----- From: "Tim Ward" <t...@brettward.co.uk> > To: <openssl-users@openssl.org> > Sent: Monday, November 23, 2009 11:11 AM > Subject: SSL_CTX_use_certificate_chain? > > >> How do I get an SSL server to send a certificate chain to a client in the >> SSL Certificate message? >> >> The certificate chain is in a PKCS#12 file, which I read with >> >> d2i_PKCS12_fp >> >> and then parse with >> >> PKCS12_parse >> >> giving me a EVP_PKEY (the private key), an X509 (the certificate) and a >> STACK_OF(X509) (the remaining certificates in the chain?). >> >> Then I create an SSL_CTX using SSL_CTX_new, and add the certificate and >> private key into it using >> >> SSL_CTX_use_certificate >> SSL_CTX_use_PrivateKey >> >> If I then create an SSL from this context using SSL_new and use that at the >> server end of an SSL connection, it sends a Certificate message to the >> client containing the server's certificate only, and not the entire chain >> (which is what's needed as the client the other end isn't going to have any >> of the intermediate certificates). >> >> This is not surprising, as I've told neither the SSL_CTX nor the SSL where >> to find the chain that was returned from PKCS12_parse. >> >> Looking for a way to do this I can find no SSL_CTX_use_certificate_chain >> API. There's a SSL_CTX_use_certificate_chain_file, which I'm guessing would >> do what I wanted if the certificate chain were on disk in a .pem file, but >> it isn't - it's in memory in a STACK_OF(X509). >> >> How do I get the server end of an SSL connection to use the certificate >> chain parsed out of a PKCS#12 file using PKCS12_parse? Or have I completely >> misunderstood how to use OpenSSL to get the certificate chain sent? >> >> Tim Ward - Brett Ward Limited - 07801 703 600 >> www.brettward.co.uk >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
