Re: When to get peer certificate?

[Lutz Jaenicke]

On Fri, Jan 05, 2001 at 08:31:23AM -0500, Ari Pirinen wrote:
> Thank you for the prompt reply. This was actually my question,
> how do I know when the handshake is completely finished?

That is a good question :-) I would call SSL_connect() to establish
the connection. Once SSL_connect() returns with '1', the connection is
established and the handshake is finished :-)

> I found some functions from headers that seem to have something
> to do with this:
> #define SSL_is_init_finished(a)               (SSL_state(a) == SSL_ST_OK)
> #define SSL_in_init(a)                        (SSL_state(a)&SSL_ST_INIT)
> #define SSL_in_before(a)              (SSL_state(a)&SSL_ST_BEFORE)
> #define SSL_in_connect_init(a)                (SSL_state(a)&SSL_ST_CONNECT)
> #define SSL_in_accept_init(a)         (SSL_state(a)&SSL_ST_ACCEPT)
> 
> Is handshake completely finished when SSL_is_init_finished
> returns true, or can it be finished before that?

I did read some of the source but I am not sure on how to use these functions.

> >Please understand, that the peer-certificate obtained this way is just
> >the certificate presented, you must additionally check whether it passed
> >the verification against the trusted CAs with SSL_get_verify_result().
> 
> Yes, I understand this. I probably will add my own verify
> callback there... I assume that the verify callback gets called
> immediately when the initialisation if finished, that is,
> essentially meaning the verify callback is called before I
> will check the CN ?
Once the callback is called, the handshake is not finished, but you already
have the certificate needed from the peer. You could immediatly check
the CN once you are checking at depth "0", since this is your peers
certificate! This way you would not even have to wait until the handshake
is completed.
If you set up the verify options with SSL_VERIFY_PEER and have the callback
return "0" on non-matching CN, OpenSSL will make the handshake fail,
so you only have to close() the socket afterwards.
(As a side effect, no session will be cached on either side.)

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]