On Fri, 15 Nov 2013, Dr. Stephen Henson wrote:
On Fri, Nov 15, 2013, Dimitrios Apostolou wrote:
On Fri, 15 Nov 2013, Dr. Stephen Henson wrote:
If the certificate contains no useful information then why check it at all
other than to make sure it carries the correct public key?
I was not sure if the TLS handshake assures that the certificate is
not tampered so I decided to go the safe way.
Specifically I assumed that a man in the middle can craft a
certificate that contains the same public key (it's public after
all), but he can not sign it since he is missing the private key.
And since I'm overriding all of the default OpenSSL verification
(see my call to SSL_CTX_set_cert_verify_callback) I'm the one that
has to manually checked a valid signature, no?
Depending on the ciphersuite either an RSA decryption operation or an RSA
signature operation is performed by the server. So if the handshake completes
successfully you can be sure that the same key is used as the one present in
the certificate.
Thank you Steve, this is very reassuring, I'll remove the X509_verify()
call that checks the self-signed certificate. Cc'ing the list since I've
been looking for such information all over the web.
FWIW I've only enabled ciphers with RSA key exchange, no DH. The reason is
that since the certificate is always generated by an existing RSA key pair
I assumed this way I'm saving computational overhead related to DH and
maybe EC operations. Do you think this is logical?
Thanks,
Dimitris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
