On Wed, Nov 10, 2010 at 11:02:05PM +0000, Dimitrios Siganos wrote:
> > You can turn the can't find local issuer error for B, into an
> > OK in the verification callback by specifically whitelisting
> > the the fingerprint of B, or finding B in a suitable store.
>
> So the solution is:
> 1) Maintain a list of trusted fingerprints (trusted intermediate CAs).
> 2) On UNABLE_TO_GET_ISSUER_CERT_LOCALLY (in verify callback), return 1,
> if the cert's fingerprint is listed in in my trusted fingerprints list.
Yes, something along these lines.
> Does that mean that the verification can continue as normal and all the
> usual tests, not yet performed, will be performed as usual?
Yes.
> >> We want to be able to connect a client, which trusts 'B', to a server
> >> that only has 'C'. 'A' should not enter the picture at all.
> >>
> >> What is the correct way to achieve this with openssl?
> >
> > If you are coding the SSL client, you can customize the verification
> > callbacks. The default verification callbacks check for a trusted
> > self-signed root. This may be easier if the server presents "B+C",
> > not just "C" as its cert chain.
>
> Yes, I am coding the SSL client only. My client must work in all
> possible scenarios. I have no control over the server(s) and don't know
> how they will present their certificates. Are you saying that the
> solution above is inadequate?
If the server only presents "C", then the verification callbacks
won't necessarily find "B", whose public key you need to verify
the chain. I've not tested this case, so I don't know whether
OpenSSL will find "B" if it is listed in the "CAfile" or "CApath".
You may need to play with the not very extensively documented
X509_STORE functions if "B" is not automatically found. It should
be possible, may be more work.
This concern is moot if the intermediate "B" is automatically found by
the default X509_STORE logic, even when the server only presents "C"
as its trust chain. You'll have to test this, or perhaps someone
else on the list knows the answer...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
