Hello,
I have a legacy app that I converted to use ssl encryption. I have
everything working, except server authentication.
I'm trying to test the host name in the server's cert post
handshake. Using:
void check_cert(SSL *ssl, char *host)
{
X509 *peer;
char peer_CN[256];
if(SSL_get_verify_result(ssl)!=X509_V_OK)
berr_exit("Certificate doesn't verify");
/*Check the cert chain. The chain length
is automatically checked by OpenSSL when
we set the verify depth in the ctx */
/*Check the common name*/
peer=SSL_get_peer_certificate(ssl);
if(peer) {
X509_NAME_get_text_by_NID
(X509_get_subject_name(peer),
NID_commonName, peer_CN, 256);
if(strcasecmp(peer_CN,host))
err_exit("Common name doesn't match host name");
}
}
This routine is being called after the handshake. What happens is
SSL_get_peer_certificate returns null.
I tried adding a call to SSL_CTX_set_verify() thinking this would
make the server's cert available, but all this did was generate the
following error on the server:
SSL accept error
23956:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca:s3_pkt.c:1053:SSL alert number 48
The server's certificate was self signed. What am I
missing?
Bill
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
