Mark wrote:
Hi Fred,
Hello Mark,
I have read the manual page ;-) However I don't understand the full implications of using or not using this function in a server. If I use it what does the client do with it? Does the client still need a copy of the root certificate or is this provided automatically bythe server? The O'Reilly Book makes no mention of this function that I can find.
??? Root cert for what ? For his own cert ? To verify that he is himself ? The root cert is needed by that side of the communication that wants to verify the certificate presented by the other side. * If the client wants to verify that he really is talking to the server he wants to talk to, he needs the root cert of the cert chain that signed the server cert. * If the server wants to verify the client certificate, he needs the root certificate of the chain that signed the client certificate (if he also needs the intermediate certificates or if the client sends them, I don't know) And since the server initiates the verify he sends a list of names of CA certificates he accepts for verify. Since both sides use the root certificate as ultimate foundation of trust, both sides need the root certificates they trust locally. (And should discard all root certificates the peer sent)
Do I need to program the client side any differently?
If you want to be able to use more than one client certificate (depending on what the server wants), you have to set an client_cert_callback. In it you fetch the list of accepted CA certificates the server sent with SSL_get_client_CA_list(), determine which cert (and key) you want to use, set it with the appropriate functions and return the callback.
Does SSL_load_client_CA_file() load the relevent information from the root certificate or do I have to do something else to get this info?
On client side or server side ? It is not for use on client side. You can use it on server side to load the list of CA names the server accepts (if he points his verify data to this file) Bye Goetz
-----Original Message-----From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frédéric Donnat fdonnat-at-netsecureone.com |Openssl/1.0-Allow|Sent: 05 December 2005 23:16 To: Mark Williams Subject: RE : SSL_CTX_set_client_CA_list functionsIn SSL protocol the server is supposed to send the client a list of CA (taht the server trust) for client authentication. The SSL_CTX_set_client_CA_list() is here to setup this list of CA "name". If none are provided the certificate location should be used to do so.Have a look at the online documentation. http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html# -------- Message d'origine-------- De: Mark [mailto:[EMAIL PROTECTED] Can somebody please explain whether one of the CA_list functions is necessary in a server that needs to authenticate a client? I am using the SSL_CTX_load_verify_locations() to point to the certificates directory containing the root certificate and all client certificates. Is that sufficient?
-- DMCA: The greed of the few outweighs the freedom of the many
smime.p7s
Description: S/MIME Cryptographic Signature
