Wouldn't it be sufficient use SSL_CTX_set_verify_locations to point to
the server's certificate itself ?
I thought the verification process would accept the certificate as long
as one of the certificates in the chain is trusted, even if it is the
last one. Or first, depending on how you see it.
Marek Marcola wrote:
Hello,
Can anyone please help me on the below question?
Thanks,
Ravi.
On 8/3/06, ravi shankar <[EMAIL PROTECTED]> wrote:
Hi,
I am new to openssl. How do we tell the SSL client to trust
the server certificate in advance using openssl APIs. For
example, when we have the trusted root from the webserver, we
can use SSL_CTX_set_verify_locations function to tell the
client to trust the server certificate if it matches the
trusted root.
But when we have only the server certificate(before making the
connection itself) instead of the trusted root, which function
can be used to tell the ssl client to trust the server
certificate? Can any one explain me?
I'm not sure if there is such API in OpenSSL, but ...
.... if you already have server certificate and you want trust
only this server, you may connect to this server (SSL_connect())
without peer authentication, after successful SSL connection,
at your application layer you may get server certificate using
SSL_get_peer_certificate(), calculate, for example, message digest
of this certificate and compare with message digest of certificate
that you already have, if comparing will be successful you proceed,
if not - simply shutdown SSL connection.
Best regards,
--
Alain Damiral,
I hope this message makes me look like a very intelligent person
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]