On 12/1/2011 6:33 PM, Rohit Bansal wrote:
Hi,
Let me start with a disclaimer that i am not very experienced with
openssl.
I have a requirement. In an enterprise all clients and servers
communicate over ssl. the certs in client and server are self signed.
There is one client application which talks to 100+ different services.
Currently the peer verification is done using a single file containing
all those self signed certs on client side.
if (!SSL_CTX_load_verify_locations(context, trusted_certs_filename, NULL))
fprintf(stderr,"SSL_CTX_load_verify_locations failed (file:%s)",
_trusted_ca_certs_filename.chars());
// client always receives a certificate from the server, and if that
// certificate fails to verify, the handshake will be terminated
SSL_CTX_set_verify(context, SSL_VERIFY_PEER, NULL);
As the pem file in question contains 100+ certs, ssl context
initialization takes a while. My task is to migrate that to using CA
Path.I have a solution but also want to build a fall back mechanism
I want to fallback on initializing the context with the pem file in
case the cert verification fails with CA Path.
At high level i see following to be done
- on client handle the reason code SSL_R_CERTIFICATE_VERIFY_FAILED
from SSL_connect
- on server handle the reason code SSL_R_TLSV1_ALERT_UNKNOWN_CA from
SSL_accept
- change the ssl context to have pem file as verified certs on client
side.
- renegotiate ssl handshake over the same socket
Does anybody of the users know of such implementation or its
feasibility? Please help me to give some ways to solve this issue
Regards,
banro21
Here is another possibility:
1. Add your own verification callback, which should then be called when
OpenSSL tries to
verify that self-signed cert.
2. In your callback, manually try both verification methods before
deciding if the result returned
to the SSL code should be "valid" or "invalid".
3. The "Manual" code in the callback can presumably reuse the existing
OpenSSL functions
to do the verification, the point is that you get a chance to intercept
the result before it
reaches the SSL layer.
This way you won't get into the whole "renegotiate on a failed
connection" issue.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org