Thank you Justin!
Just to nail down my understanding of your last
paragraph - you said "just compare the fingerprint of
the certificate with your list of allowed
fingerprints" - My question is, would this be done in
my verify callback function? (int
(*verify_callback)(int, X509_STORE_CTX *)) ?
And if yes, do I more or less ignore the value of the
first ("ok") parameter passed in? (do my own checking
on the expired stuff - or maybe there's some way to
get the reasons for failure if the cert fails?) ...
one of those reasons being acceptable in my case?
Thanks again!
--- Justin Karneges <[EMAIL PROTECTED]> wrote:
> On Thursday 27 October 2005 07:25, M G wrote:
> > Hi list,
> >
> > My goal is to create mutual authentication for
> small business (each client
> > app is also a server that can share data
> securely), is there a way to use
> > SSL the "normal" way i.e., to create an X509
> store, set verify function,
> > use certificates, etc, ... but not require usrs to
> sign with a CA
> > certificate? i.e., Everyone has self-signed
> certificates with fingerprints
> > that are shared via out-of-band methods.
>
> As far as I know, you can put a self-signed
> certificate into an X509_STORE as
> trusted and then the connection will verify
> properly. In fact, all root CA
> certs that you usually have in the X509_STORE
> already are self-signed. The
> only difference between a normal cert and a "CA"
> cert is that the CA certs
> have extra bits in them to indicate they can sign
> for other certs (but you
> don't need this feature, nor is this feature
> required for a cert to be
> allowed inside an X509_STORE and trusted).
>
> Putting your self-signed certs into the X509_STORE
> would be the safest method
> of using SSL, because then everything really would
> be "normal". You'd do an
> SSL connection as you're supposed to, the cert would
> verify, and off you go.
> This may also be a more future-proof and compatible
> method, since not all SSL
> libraries will necessarily allow you to ignore
> invalid certificates (I'm told
> this is how J2ME works).
>
> The only trouble I can see you running into is if
> you don't have all the
> client certificates pre-traded. If each client only
> has a cache of
> fingerprints, then you will have to do some extra
> voodoo. Handling this in
> OpenSSL would be fairly easy, just compare the
> fingerprint of the certificate
> with your list of allowed fingerprints.
>
> -Justin
>
______________________________________________________________________
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> openssl-users@openssl.org
> Automated List Manager
> [EMAIL PROTECTED]
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
