> From: owner-openssl-us...@openssl.org On Behalf Of Troyanker, Vlad > Sent: Wednesday, October 02, 2013 20:17
> In response to David: If I do not set VERIFY_PEER flag, then client does > NOT deliver its certificate to server. At least SSL_Peer_Certificate() > returns null. > You do need VERIFY in the server to invite the client to send cert, yes. You don't need FAIL_IF_NO_CERT (or V_ONCE) *for that*. But that's a minor point and perhaps not relevant. > With regards to installing the self-signed certs on each host. Does it not > defeat the purpose of a self signed cert a little? I thought that setting > X509 attribute CA=TRUE (see my code in the original post) was a clue > enough for it to be used as CA authority. Can someone confirm if > self-signed certs still need to be installed for verification to succeed? > To validate, a relier using (current) OpenSSL must have in its truststore the root used, plus any chain certs if the peer doesn't send them as it should. (Other SSL software mostly must have a trust anchor but not necessarily the root, and the next OpenSSL release reportedly will add some options in this area.) A self-signed cert IS a root and has no chain certs. Setting CA=true "allows" the cert, along with the key it certifies, to be used to issue other "child" certs. More exactly, it directs a relier who trusts the CA cert to extend that trust to child certs if other requirements are also met (signature valid, not expired, not revoked, keyusage and extkeyusage if present suitable, chain not too long, policies acceptable, etc.) A silly CA could actually create certs issued under a non-CA cert, but they would be invalid and useless. Assuming you want to use your selfsigned certs for SSL handshake as described and not issue child certs, CA=true is not needed with OpenSSL. I have encountered some other software that wants CA=true on selfsigned though. If you want to get a peer cert but not actually validate it, in OpenSSL, you can set a verify_callback routine with overrides the error and accepts the cert/chain. But this is kind of like going from one building to the one next door by walking across town and then walking back and then going next door. It works, but it's extra effort for zero benefit. If you don't want SSL authentication, just don't do SSL authentication. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
