> From: owner-openssl-us...@openssl.org On Behalf Of MK > Sent: Saturday, 18 February, 2012 10:59
> On Fri, 17 Feb 2012 12:12:43 -0700 > Dave Meetchum <yancy7...@gmail.com> wrote: > > > I am trying to use OpenSSL on iOS and Android in conjunction with > > libcurl for my applications HTTP interface. From what I understand > > OpenSSL does not come with a CA cert which is > understandable. Also my > > understanding is that if you need a CA cert on the client to verify > > the server is who they claim to be. > > No. The client browser checks the certificate you register with > openssl (which is public, but may have a private key); this is done as > part of the preliminary negotiation. You do not need to provide the > client with its own certificate or do anything other than: > > 1) create or obtain a certificate. > 2) pass ssl the .crt file and the private key, eg. via > SSL_CTX_use_certificate_file() and > SSL_CTX_use_PrivateKey_file() during > initialization of the server. > > After that you don't need to do anything. > This is mostly (not always) correct for a *server*. OP asked about libcurl, a client. An SSL client usually (not always) needs to verify the server(s) it connects to, and to do that the client needs the CA root(s) or selfsigned cert(s) for the server(s) obtained by means adequately safe from tampering by an attacker. If a client app will only use a predetermined server or set of servers, which in turn uses predetermined CA(s) or pregenerated selfsigned, you can bundle those with the app and be done. Otherwise you need to deal with choosing, obtaining and possibly updating "good" roots. > You can create your own "self-signed" certificate (these trigger a > warning in the client user agent and the user must accept an > "untrusted" connection), or obtain one, usually for a fee from a > trusted certificate authority. It does not have to be mozilla. There > are also people who provide them for free, eg: > > http://cert.startcom.org/ > Mozilla is not a CA. Mozilla is a client that is distributed and installed with a set of roots it initially trusts, decided by the Mozilla releasers, although the user can later add or delete. Similarly IE/Windows (by Microsoft) and other browsers, and *some* packaged builds of OpenSSL by the packager(s). Two similar things are often suggested for an SSL client app especially one using public servers, and I suspect one or the other of them was here: - trust the Mozilla install. Export the CA root(s) you want from a local installed copy of Mozilla, trusting that Mozilla was installed (and perhaps updated) securely and thus these CA certs are untampered, and use it(them). - trust the Mozilla choices. Take *all* the CA roots from a (local) copy of Mozilla, trusting the Mozilla people have done a good job of deciding which CAs deserve trust, plus as above the Mozilla install/update got them safely on your machine. If you as an app developer don't have time and/or expertise to make these choices yourself, piggybacking on the work already done by Mozilla is a good alternative. In fact the curl developers more or less recommend it: http://curl.haxx.se/docs/sslcerts.html http://curl.haxx.se/docs/caextract.html although curl, like any decent OpenSSL app, will use whatever truststore you choose to give it. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
