> From: owner-openssl-us...@openssl.org On Behalf Of MK
> Sent: Saturday, 18 February, 2012 10:59

> On Fri, 17 Feb 2012 12:12:43 -0700
> Dave Meetchum <yancy7...@gmail.com> wrote:
> 
> > I am trying to use OpenSSL on iOS and Android in conjunction with
> > libcurl for my applications HTTP interface. From what I understand
> > OpenSSL does not come with a CA cert which is 
> understandable. Also my
> > understanding is that if you need a CA cert on the client to verify
> > the server is who they claim to be. 
> 
> No.  The client browser checks the certificate you register with
> openssl (which is public, but may have a private key); this is done as
> part of the preliminary negotiation. You do not need to provide the
> client with its own certificate or do anything other than:
> 
> 1) create or obtain a certificate.
> 2) pass ssl the .crt file and the private key, eg. via
> SSL_CTX_use_certificate_file() and 
> SSL_CTX_use_PrivateKey_file() during
> initialization of the server.
> 
> After that you don't need to do anything. 
> 
This is mostly (not always) correct for a *server*. OP asked about 
libcurl, a client. An SSL client usually (not always) needs to 
verify the server(s) it connects to, and to do that the client needs 
the CA root(s) or selfsigned cert(s) for the server(s) obtained by 
means adequately safe from tampering by an attacker. If a client app 
will only use a predetermined server or set of servers, which in turn 
uses predetermined CA(s) or pregenerated selfsigned, you can bundle 
those with the app and be done. Otherwise you need to deal with 
choosing, obtaining and possibly updating "good" roots.

> You can create your own "self-signed" certificate (these trigger a
> warning in the client user agent and the user must accept an
> "untrusted" connection), or obtain one, usually for a fee from a
> trusted certificate authority.  It does not have to be mozilla.  There
> are also people who provide them for free, eg:
> 
> http://cert.startcom.org/
> 
Mozilla is not a CA. Mozilla is a client that is distributed and 
installed with a set of roots it initially trusts, decided by the 
Mozilla releasers, although the user can later add or delete.
Similarly IE/Windows (by Microsoft) and other browsers, and *some* 
packaged builds of OpenSSL by the packager(s). Two similar things 
are often suggested for an SSL client app especially one using 
public servers, and I suspect one or the other of them was here:

- trust the Mozilla install. Export the CA root(s) you want 
from a local installed copy of Mozilla, trusting that Mozilla 
was installed (and perhaps updated) securely and thus these 
CA certs are untampered, and use it(them).

- trust the Mozilla choices. Take *all* the CA roots from a 
(local) copy of Mozilla, trusting the Mozilla people have done 
a good job of deciding which CAs deserve trust, plus as above 
the Mozilla install/update got them safely on your machine.

If you as an app developer don't have time and/or expertise to 
make these choices yourself, piggybacking on the work already 
done by Mozilla is a good alternative. In fact the curl 
developers more or less recommend it:
http://curl.haxx.se/docs/sslcerts.html
http://curl.haxx.se/docs/caextract.html
although curl, like any decent OpenSSL app, will use 
whatever truststore you choose to give it.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to