Found the problem...
The x509 pointer should not be free since the ssl_ctx will continue to use it.
Thanks Liz

Liz Voss wrote:
Hello,
I need to implement new requirement to verify private certificate before it is used for SSL/TLS connection. Basically I should not use certificate that is expired or revoked. I am working with OpenSSL 0.9.8i.

I made function similar to what we are using to verify peer certificate but I am experiencing crashes in X509_verify_cert function.

I wonder if anybody is verifying private certificate used for SSL/TLS connection?
Any tip would be greatly appreciated.
Liz

I prepared ssl_ctx by loading CA, CRL, ciphers and private certificate.
He is code fragment showing the major steps.
SSL *ssl;
X509 *x509     = NULL;
X509_STORE_CTX *ctx;
X509_STORE *cert_store = NULL;

ssl = SSL_new(ssl_ctx);
x509 = SSL_get_certificate (ssl); /* x509 = SSL_get_peer_certificate (ssl); */
cert_store = SSL_CTX_get_cert_store(ssl_ctx);
X509_STORE_set_verify_cb_func(cert_store, _verifyCertificateCallback);
ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(ctx, cert_store, x509, NULL);
X509_verify_cert(ctx);
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to