Re: verify client certificate at a later point

Wed, 23 Sep 2009 13:19:10 -0700 

On Wed, Sep 23, 2009 at 10:04:48PM +0200, Michael Prinzinger wrote:

>   and let the client verify the servers certificate, like this
> 
>     X509* x509 = SSL_get_peer_certificate(s);
> >     CHECK(x509 != NULL);
> >
> >     //check certificate
> >     long certVerifyResults = SSL_get_verify_result(s);
> >     if(certVerifyResults != X509_V_OK)
> >         throw SSLException("Error! Certificate could not be verified.\n);
> >
> >     //free x509
> >     X509_free(x509);

This only verifies the server's *trust chain*, but not its identity. To
properly verify a server, you MUST examine the certificate subjectAltName
extensions and if these are missing the CommonName in the subject DN.

> [2] now a secure connection is established

No "secure" connection is exists unless the client verified the server
certificate.

>    on it the server receives data encrypted with the servers public key, so
> only it can read it
>    in the data is information about the next node and the previous node
>    now the server knows the ssl certificate of the previous node and thus
> wants to check it,
>    since the verify mode is still set to server only, we set it a new
> 
> SSL_CTX_set_verify(this->ctx, SSL_VERIFY_PEER |
> > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);

Entirely pointless after the SSL handshake is done.

> [3] if the server now runs the code above
> 
>     X509* x509 = SSL_get_peer_certificate(s);
> >     CHECK(x509 != NULL);
> >
> >     //check certificate
> >     long certVerifyResults = SSL_get_verify_result(s);
> >     if(certVerifyResults != X509_V_OK)
> >         throw SSLException("Error! Certificate could not be verified.\n);
> >
> >     //free x509
> >     X509_free(x509);

Again this would just "verify" the trust chain, and say nothing about
the client identity.

> Has anyone an idea, how this could be achieved with the OpenSSL API?

You are solving the wrong problem. Forget OpenSSL APIs, ... what actual
security goals are you trying to achieve and what is available on the
client and server to get you there?

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to