Thank You again Victor for your answer, You are right, I am not to firm with OpenSSL terminology. I tried to find some tutorials and introduction, but found relatively few, and thus tried to understand OpenSSL from looking at the man pages and the code, which makes it a little hard to get the big picture.
> Are you saying that the accepting system expects X.509 client credentials > from the connecting system, but that the payload (encrypted to the > receiving node's public key) also contains the same certificate, and > you want to check that the peer client matches the encrypted request? > yes. If so, trust chain verification is completely irrelevant here. You > don't need to repeat the handshake, rather implement a verification > callback that accepts untrusted certificates (X.509 trust anchors seem > inapplicable in this context) and compares them (via the public key > fingerprint) to the designated certificate in the message payload. > yes, this would do what I want. I I would have to call BIO_do_handshake with a customized verification call back, that decrypts the payload, reads the certificate and compares them to the one offered by the client? Since there are no central trust authorities withtin the context of this protocol, I can only directly verify a certificate, resp. some message signed with the corresponding private key. > If you want something else, you must explain it in a lot more detail. > > Note, your problem is understanding the crypto protocol design, not > OpenSSL. You are using this list to get help with X.509 and cryptography, > not really the OpenSSL API, so we are somewhat outside the list charter, > but such questions are relatively common here... > Thank you for helping anyways. If you know a good resource that explains X.509 infrastructure, I'd be glad to read it. Michael > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
