On Fri February 17 2012, Dave Meetchum wrote: > I am trying to use OpenSSL on iOS and Android in conjunction with libcurl > for my applications HTTP interface. From what I understand OpenSSL does not > come with a CA cert which is understandable. Also my understanding is that > if you need a CA cert on the client to verify the server is who they claim > to be. So basically I need to embed a CA cert in my app or pull it over the > network on an unsecure connection when the app starts up. Is there another > way to get a CA cert on these devices? Am I correct that I definitely need > one and need to provide it myself? >
I can give some general answers, others here can give you the specifics... The system is built on the concept of a "Trusted Third Party" - So the general answer is: Yes, you need that "Trust Anchor" from somewhere. That "somewhere" needs to be other than the server you are trying to verify. That would be like asking the Fox if the Chickens are safe. ;-) > After reading the documentation the general suggestion is that a CA cert > can be obtained from Mozilla. This seems a bit odd. From what I have read, > CAs can be added and removed from the cert, and certs expire. How would you > know if you your app using OpenSSL needs to update it's cert? Would you > have to pull a cert from Mozilla everyday and diff it against the one you > are using? Also if you have an app on a mobile device that needs to update > its CA cert, how can it do it safely without worrying about a man in the > middle attack giving you a bad cert or someone on the device replacing your > copy of the CA cert once it has been downloaded? > > I feel like I am missing something here and that using OpenSSL should be > easier than I am making it out to be. Any help or insight would definitely > be appreciated! > There is a mechanism for handling that, "Certificate Revocation List(s)" "CRL". Any "Trust Anchor" you get should have a field that tells where to get the current CRL that trust anchor is using. How often you pull that list and check for changes in status of your trust anchor is an implementation choice. I have noticed that common, recent, web browsers seem to check once a week. I also know that in some systems, the CRL is pulled and checked __every time__ before a certificate (trust anchor) is used. PS: There is a system of signatures on all of these items to keep MIM attacks under control. Mike > Cheers, > Dave > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
