Re: When to get peer certificate?

Fri, 05 Jan 2001 05:03:48 -0800 

On Fri, Jan 05, 2001 at 07:45:00AM -0500, Ari Pirinen wrote:
> When can I safely call SSL_get_peer_certificate?
> I am reading socket in non-blocking mode, and would like to
> know when I've read enough so that I can obtain the peer certificate. The
> reason is, as I've understood, I must check that CN matches the host name I
> requested to prevent MITM attacks. And no, I can't use the verify function
> (for this purpose) because it don't have context to my request (several
> requests can be going on at the same time).

Wait until the handshake is completly finished. Then call
SSL_get_peer_certificate() to obtain the certificate and check the CN.
Please understand, that the peer-certificate obtained this way is just
the certificate presented, you must additionally check whether it passed
the verification against the trusted CAs with SSL_get_verify_result().

> Also, I think I must close the connection if they dont match.
> Is there a special procedure to follow so that the other side
> knows I didn't approve of the certificate or do I just close?
There are two ways of thinking:
- Call SSL_shutdown() to allow for a clean shutdown of the SSL connection,
  then close() the socket. (This send a close-alert to the peer.)
- Call close() on the socket only to immediatly cancel the connection. This
  way you save bandwidth. In the logfiles, a "probably somebody pressed the
  STOP button" message might appear, depending on the type of server.
  Maybe nobody will take care of this message :-)
If you use session caching, you should make sure to delete the session from
cache, as we should not re-use a questionable session. (With OpenSSL you
have to write your own client side cache support, it is not available by
default.)

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to