Kurt,
> Though the certificate seems to have expired I gather that it is being
> validated just fine otherwise, and the OnHandShakeDone event returns
> ErrCode = 0.
Yes, they are both sent by the server and both are expired.
The root is not trusted because you obviously did not add it to one
of your trusted CA stores.
>
> I have some final questions though.
>
> How would the debug print have look had the certificated not been
> expired ?
"self signed certificate in certificate chain"
or similar.
>
> And how to tell if it was validated correctly, which properties
> should I check ?
We are currently only talking about simple certificate chain verification,
that is only one part of SSL security. Even if the chain verification
succeeded completely you are not protected against "man in the middle"
attacks.
Quoted from OverbyteHttpsTst Demo:
{ Now to the PostConnectionCheck, a very important security check!
Our application will be vulnerable if you do not check the peer
certificate beyond verification of the chain. Nothing prevents an
attacker from getting his own certificate signed by one of our trusted
CAs and then hijacking all our sessions. We thward this kind of
masquerade by tying the certificate to some information unique to the
machine. In SSL this information is one or multiple full qualified
domain names (FQDN) also called DNS names stored in certificate's
commonName field(s) of the subjectName field. Since X.509v3 the
subjectAltName extension allows to hold the FQDN as well as other
identifying information such as the IP address.
We use function PostConnectionCheck to perform these checks for us. }
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
