Hi Peter, actually I have not set the SSL_CTX_set_verify_depth(), I assume that if I don't, it would accept any depth, is that correct ? Also, for the SSL_CTX_set_verify(), I use the following:
ssl_flags =| SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify( ssl->ssl_ctx, ssl_verify_flags, __ssl_verify_cb );
and then, in the __ssl_verify_cb( int code, X509_STORE *ctx ), I check the
err:
err = X509_STORE_CTX_get_error( ctx );
if( code == 0 ) {
PKI_log_err("SSL Verify Failed (%d::%s)",
X509_STORE_CTX_get_error( ctx ),
X509_verify_cert_error_string(err));
switch ( err ) {
};
so that for some errors i can still return 1 and continue.. but the error
reported for each of the certificates in the chain is always the same.
If I have a self-signed certificate in the chain:
[net/ssl.c:65]::ERR::SSL Verify Failed (19::self signed certificate in
certificate chain)
[net/ssl.c:171]::DEBUG::Self Signed Certificate in Chain [1]
[net/ssl.c:254]::DEBUG::SSL Verify Return => 1 (auth 1)
[net/ssl.c:171]::DEBUG::Self Signed Certificate in Chain [1]
[net/ssl.c:254]::DEBUG::SSL Verify Return => 1 (auth 1)
[net/ssl.c:171]::DEBUG::Self Signed Certificate in Chain [0]
[net/ssl.c:254]::DEBUG::SSL Verify Return => 1 (auth 1)
As you can see, the only difference is that at depth 1, the callback
is executed twice, the first time an error is reported via the code
variable, while the others is not.
I have the impression that the X509_STORE_CTX_get_error() returns
always the last error, also when the verify callback returns a
non-error code.
The exact same errors are reported also when I do not add the
CA cert as a trusted certificate via the X509_STORE_add_cert().
What I would expect is that, in the second case, I would get
notified that the certificate is not trusted...
Cheers,
Max
On 06/18/2010 05:04 PM, Peter Sylvester wrote:
On 06/18/2010 01:57 AM, Massimiliano Pala wrote:Hi all, I have two issues when I am trying to verify the certificates from an SSL connection. In particular I have difficulties in understanding how to: - Add a set of certificates that are to be trusted (trust anchors..)self signed certs- Add a set of certificates that might be needed to build the chain (not trust anchors.. )any non self signed is in that category.- Accept a chain of certificates where a self-signed cert is present without that error to be the only one reported in the verify callback (i.e., are there any flags I can set to avoid the error ?) So far, from the source code, I thought that by using: store = SSL_CTX_get_cert_store(ctx); X509_STORE_add_cert (store, cert); ... ssl = SSL_new ( ctx );did you use: SSL_CTX_set_verifyI would add the cert to the trusted ones.. but it does not seem to work :( Where are the functions or the right pointers to do that without using the SSL_CTX_load_verify_locations() ???The above code is ok, but you might want to play with all the verify functions like SSL_CTX_set_verify_depth(ctx,2); SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,ZERO_NULL); /P
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
smime.p7s
Description: S/MIME Cryptographic Signature
