Making sure that the server uses a certificate issued by verisign is a case of using the SSL_CTX_load_verify_locations(...) function to add verisign's root as a trusted certificate. There are actually quite a number of verisign "roots", but I digress...
You will definitely want to perform some kind of checking of the server's subject name/altname (say, against the requested host name, like the browsers do) in the verify callback function as well, or all an aspiring man-in-the-middle would need was to go out and buy himself a verisign certificate. There's loads more to it, of course. Revocation checking, for example. But Rome wasn't burned in a day... Regards, //oscar Julio Kriger wrote: > > Hi, > I'm newbye. I have done a SSL client that connect to some HTTPS server. > The server have Verisign as CA root. > My question is: how can I validate/verify that the certificate I have > received from the HTTPS server is the certificate from Verisign? Can I > be sure if I only check the server certificate name? Must I do this > inside the verify callback function? Even if I have wrotten a client, I > must use SSL_CTX_load_verify_locations? when I must set > SSL_CTX_load_verify_locations(ctx, "VerisignCA.cert", NULL)? Is this > correct? > Thanks in advance. > > Julio > > ************************************************************************ > Visite http://www.bancorio.com.ar y tenga el Banco al alcance de su mano. > ************************************************************************ > > NOTA DE CONFIDENCIALIDAD / CONFIDENTIALITY NOTE > Este mensaje (y sus anexos) es confidencial y puede contener informacion > (i) de propiedad exclusiva de Banco Rio de la Plata S.A. sus afiliadas o > subsidiarias; o (ii) amparada por el secreto profesional. Si usted ha > recibido este fax o e-mail por error, por favor comuniquelo > inmediatamente via fax o e-mail y tenga la amabilidad de destruirlo; no > debera copiar el mensaje ni divulgar su contenido a ninguna persona. > Muchas gracias. > > This message (including attachments) is confidential. It may also > contain information that (i) is exclusively property of Banco Rio de la > Plata S.A. or its affiliates or subsidiaries; or (ii) is privileged or > otherwise legally exempt from disclosure. If you have received it by > mistake please let us know by fax or e-mail immediately and destroy or > delete it from your files or system; you should also not copy the > message nor disclose its contents to anyone. Thank you. > ************************************************************************** > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
