|
Gentlemen,
After successfully establishing an SSL connection,
I'm attempting to
ascertain the validity of the server certificate
received by the client.
The server certificate received was signed by Verisign, yet the
OpenSSL engine does not successfully validate it. The root
certificates I loaded into the SSL_CTX using the function
SSL_CTX_load_verify_locations() were the Class 3
Verisign
certificates exported from IE 5.0.
The interesting thing about this is that the issuer
hash calculated using
OpenSSL on the server certificate received is
different that the hashes
calculated on the exported certificates, yet IE
still manages to accept the
certificate as valid! The obvious question,
at least for me, is does the
OpenSSL library base its decision solely on the
issuername hash when
looking up the
trusted CA root certificates or is IE doing something
completely different, like not basing it's lookup on issuer hash but
perhaps issuer CommonName?
Can someone provide me with a code snippet, or
point me in the appropriate
direction, that outlines another way to verify
certificates without using the
issuer name hash? My concern is if Verisign,
or any other CA, is creating
server certificates using licensing terms or some
other policy within the
issuer name on a per-certificate basis yet using
the original public and
private keys to sign it. Would this explain
why the issuer hashes don't match
yet IE continues to validate the cert if IE does
its lookup not based on issuer
hash? Or am I way out in left
field???
Thank you in advance for any
assistance!
|
- Re: Verification of server certificate Rob Neff
- Re: Verification of server certificate Dr S N Henson
