>On Fri, Jan 05, 2001 at 07:45:00AM -0500, Ari Pirinen wrote:
>> When can I safely call SSL_get_peer_certificate?
>> I am reading socket in non-blocking mode, and would like to
>> know when I've read enough so that I can obtain the peer certificate. The
>> reason is, as I've understood, I must check that CN matches the host name
I
>> requested to prevent MITM attacks. And no, I can't use the verify
function
>> (for this purpose) because it don't have context to my request (several
>> requests can be going on at the same time).
> Wait until the handshake is completly finished. Then call
>SSL_get_peer_certificate() to obtain the certificate and check the CN.
Thank you for the prompt reply. This was actually my question,
how do I know when the handshake is completely finished?
I found some functions from headers that seem to have something
to do with this:
#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
Is handshake completely finished when SSL_is_init_finished
returns true, or can it be finished before that?
>Please understand, that the peer-certificate obtained this way is just
>the certificate presented, you must additionally check whether it passed
>the verification against the trusted CAs with SSL_get_verify_result().
Yes, I understand this. I probably will add my own verify
callback there... I assume that the verify callback gets called
immediately when the initialisation if finished, that is,
essentially meaning the verify callback is called before I
will check the CN ?
>> Also, I think I must close the connection if they dont match.
>> Is there a special procedure to follow so that the other side
>> knows I didn't approve of the certificate or do I just close?
>There are two ways of thinking:
>- Call SSL_shutdown() to allow for a clean shutdown of the SSL >connection,
> then close() the socket. (This send a close-alert to the peer.)
Thank you.
Regards,
Ari Pirinen
[EMAIL PROTECTED]
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
