Re: server authentication

Thu, 06 Aug 2009 10:01:43 -0700 

Hi;

- verifying a self signed cert is strange. How would you trust it.
 the standard way is to have your own CA, and then issuev a cert
 for your server, and then use the CA cert as trust anchor in your
 client.

Anyway your code for is false for at
least  three reasons:

- The get by nid return the highest common name, not the
 lowest (you can have more in theory).

- You don't treat the character type.

- You don't check whether the common name contains
 for example   hostname\0some.other.domain  (\0 is
 a binary 0.

It is incomplete because you don't check the subjectaltnames
and wild cards.

Bill Schoolfield wrote:

Hello,

I have a legacy app that I converted to use ssl encryption. I have
everything working, except server authentication.

I'm trying to test the host name in the server's cert post
handshake. Using:

void check_cert(SSL *ssl, char *host)
{
    X509 *peer;
    char peer_CN[256];

    if(SSL_get_verify_result(ssl)!=X509_V_OK)
       berr_exit("Certificate doesn't verify");

    /*Check the cert chain. The chain length
      is automatically checked by OpenSSL when
      we set the verify depth in the ctx */

    /*Check the common name*/
    peer=SSL_get_peer_certificate(ssl);

   if(peer) {
      X509_NAME_get_text_by_NID
        (X509_get_subject_name(peer),
        NID_commonName, peer_CN, 256);

      if(strcasecmp(peer_CN,host))
        err_exit("Common name doesn't match host name");
     }
}

This routine is being called after the handshake. What happens is
SSL_get_peer_certificate returns null.

I tried adding a call to SSL_CTX_set_verify() thinking this would
make the server's cert available, but all this did was generate the
following error on the server:

SSL accept error
23956:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca:s3_pkt.c:1053:SSL alert number 48

The server's certificate was self signed. What am I
missing?

Bill
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to