I'm calling:
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, cb);
but SSL_get_peer_certificate() still returns NULL. Supposedly this
happens only because an anonymous cipher was used. But I have
restricted the ciphers ala:
#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
Maybe self signed certs are never made available as their contents
can't be relied on.
Bill
Patrick Patterson wrote:
> Hi Bill:
>
> On August 6, 2009 10:38:24 am Bill Schoolfield wrote:
>> Hello,
>>
>> I have a legacy app that I converted to use ssl encryption. I have
>> everything working, except server authentication.
>>
>> I'm trying to test the host name in the server's cert post
>> handshake. Using:
>>
>> void check_cert(SSL *ssl, char *host)
>> {
>> X509 *peer;
>> char peer_CN[256];
>>
>> if(SSL_get_verify_result(ssl)!=X509_V_OK)
>> berr_exit("Certificate doesn't verify");
>>
>> /*Check the cert chain. The chain length
>> is automatically checked by OpenSSL when
>> we set the verify depth in the ctx */
>>
>> /*Check the common name*/
>> peer=SSL_get_peer_certificate(ssl);
>>
>> if(peer) {
>> X509_NAME_get_text_by_NID
>> (X509_get_subject_name(peer),
>> NID_commonName, peer_CN, 256);
>>
>> if(strcasecmp(peer_CN,host))
>> err_exit("Common name doesn't match host name");
>> }
>> }
>>
>> This routine is being called after the handshake. What happens is
>> SSL_get_peer_certificate returns null.
>>
>
> Is your SSL_CTX_set_verify setup as follows?
>
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, cb);
>
> (have CB == NULL) if you don't want to have your own custom callback to
> handle
> the verification.
>
> If not, then you're not actually having the SSL/TLS session say to request
> the
> peer's certificate (the SSL_VERIFY_CLIENT_ONCE is optional).
>
> Have fun.
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
