Thank you Justin! Just to nail down my understanding of your last paragraph - you said "just compare the fingerprint of the certificate with your list of allowed fingerprints" - My question is, would this be done in my verify callback function? (int (*verify_callback)(int, X509_STORE_CTX *)) ?
And if yes, do I more or less ignore the value of the first ("ok") parameter passed in? (do my own checking on the expired stuff - or maybe there's some way to get the reasons for failure if the cert fails?) ... one of those reasons being acceptable in my case? Thanks again! --- Justin Karneges <[EMAIL PROTECTED]> wrote: > On Thursday 27 October 2005 07:25, M G wrote: > > Hi list, > > > > My goal is to create mutual authentication for > small business (each client > > app is also a server that can share data > securely), is there a way to use > > SSL the "normal" way i.e., to create an X509 > store, set verify function, > > use certificates, etc, ... but not require usrs to > sign with a CA > > certificate? i.e., Everyone has self-signed > certificates with fingerprints > > that are shared via out-of-band methods. > > As far as I know, you can put a self-signed > certificate into an X509_STORE as > trusted and then the connection will verify > properly. In fact, all root CA > certs that you usually have in the X509_STORE > already are self-signed. The > only difference between a normal cert and a "CA" > cert is that the CA certs > have extra bits in them to indicate they can sign > for other certs (but you > don't need this feature, nor is this feature > required for a cert to be > allowed inside an X509_STORE and trusted). > > Putting your self-signed certs into the X509_STORE > would be the safest method > of using SSL, because then everything really would > be "normal". You'd do an > SSL connection as you're supposed to, the cert would > verify, and off you go. > This may also be a more future-proof and compatible > method, since not all SSL > libraries will necessarily allow you to ignore > invalid certificates (I'm told > this is how J2ME works). > > The only trouble I can see you running into is if > you don't have all the > client certificates pre-traded. If each client only > has a cache of > fingerprints, then you will have to do some extra > voodoo. Handling this in > OpenSSL would be fairly easy, just compare the > fingerprint of the certificate > with your list of allowed fingerprints. > > -Justin > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]