How to verify a client certificate?

Sun, 26 Sep 2010 08:56:05 -0700

My server wants to check that the client's certificate is signed by the correct CA. The client returns a certificate chain ending in a self-signed certificate, and I want to verify that it's the right self-signed certificate (call it A) and not some imposter.
I've been reading the online documentation and the O'Reilly book, which don't agree in this area, and some sample code, which I don't really understand. I've been doing one thing at a time, to try to understand each step. 


(1) First I  called SSL_CTX_set_verify specifying SSL_VERIFY_PEER | 
SSL_VERIFY_FAIL_IF_NO_PEER_CERT in an attempt to get the server to request a 
client certificate. This worked. The server requested a client certificate 
... but the certificate request had an empty DN list so the client returned 
an empty list of certificates in the certificate message.



(2) Next I called SSL_CTX_add_client_CA, passing it the self-signed 
certificate in question. I expected that this would include the DN in the 
previously empty certificate request message and provoke the client into 
sending its certificate chain in the certificate message. This also worked.



So far so good ... but what I expected was that verification during the SSL 
handshake would fail, because I had done nothing at all with certificate A 
other than pass it to SSL_CTX_add_client_CA. In particular I have made no 
call to SSL_CTX_load_verify_locations or SSL_CTX_set_default_verify_paths 
and not stored certificate A in any place on the disk that I would expect 
OpenSSL to be able to find it.[#]



However the verification didn't fail. Although OpenSSL has no knowledge of 
the trusted self-signed root certificate A other than as a parameter to 
SSL_CTX_add_client_CA, it still verifies the client certificate and sets up 
the SLL connection.



Why? What's happening here? What do I have to do to get OpenSSL to check 
that the client certificate is (ultimately) signed by someone I trust?


Thanks.


[#] I don't actually want to get certificate A into OpenSSL as a trusted 
root certificate by putting it in a disk file. It's embedded in the 
application's executable, and I want to load it into OpenSSL from there, so 
I don't want to use these functions anyway. But finding out how to do that 
is the next problem, not the current one.


Tim Ward - Brett Ward Limited - 07801 703 600

www.brettward.co.uk 


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org














    











					Reply via email to