Hi Bill:
On August 6, 2009 10:38:24 am Bill Schoolfield wrote:
> Hello,
>
> I have a legacy app that I converted to use ssl encryption. I have
> everything working, except server authentication.
>
> I'm trying to test the host name in the server's cert post
> handshake. Using:
>
> void check_cert(SSL *ssl, char *host)
> {
> X509 *peer;
> char peer_CN[256];
>
> if(SSL_get_verify_result(ssl)!=X509_V_OK)
> berr_exit("Certificate doesn't verify");
>
> /*Check the cert chain. The chain length
> is automatically checked by OpenSSL when
> we set the verify depth in the ctx */
>
> /*Check the common name*/
> peer=SSL_get_peer_certificate(ssl);
>
> if(peer) {
> X509_NAME_get_text_by_NID
> (X509_get_subject_name(peer),
> NID_commonName, peer_CN, 256);
>
> if(strcasecmp(peer_CN,host))
> err_exit("Common name doesn't match host name");
> }
> }
>
> This routine is being called after the handshake. What happens is
> SSL_get_peer_certificate returns null.
>
Is your SSL_CTX_set_verify setup as follows?
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, cb);
(have CB == NULL) if you don't want to have your own custom callback to handle
the verification.
If not, then you're not actually having the SSL/TLS session say to request the
peer's certificate (the SSL_VERIFY_CLIENT_ONCE is optional).
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
