Re: Hard-coded trusted CA-cert
hi Henson,
Thanx for the suggestion. I tried the following Code :
unsigned char CA_cert[811]={
0x30,0x82,0x03,0x27,0x30,0x82.};
/* load our CA cert into the certificate chain */
c = CA_cert;
x = d2i_X509(NULL,&c,(long) sizeof(CA_cert));
if( x == NULL ){
goto end;
}
cert_store=SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(cert_store,x);
if(x != NULL)
X509_free(x);
This code is working fine but i see a memory leak in
this part of the code. I am loosing 2048 bytes on heap
every time i exit out. I tried commenting this code
and everything is ok..
Please can you tell the what Cleanup procedure am i
missing here?
thankyou,
raj
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Wed, Mar 26, 2003, rajagopalan ramanujam wrote:
>
> > hi,
> >
> > I have tested the SSL handshake but failing when
> > verifying server certificate
> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I
> > generated the self signed CA and used the same
> CAcert
> > to verify using openssl verify and also using
> openssl
> > s_client -verify 1 -CAfile and it seems to be
> working
> > perfectly ok.
> >
> > Since i dont have a file system on embedded
> platform i
> > cannot use SSL_CTX_load_verify_locations().
> >
> > I have converted the CAcert file from base64
> format
> > to C structure using openssl utility and i am
> calling
> > SSL_CTX_use_certificate(ctx,x). Still i see that
> there
> > is an error some where. I tried calling
> > SSL_CTX_add_extra_chain_cert, but did not help.
> >
>
> You need to retrieve the trusted certificate store
> using SSL_CTX_get_store()
> and then add the certificate to it using
> X509_STORE_add_cert().
>
> Steve.
> --
> Dr Stephen N. Henson.
> Core developer of the OpenSSL project:
> http://www.openssl.org/
> Freelance consultant see:
> http://www.drh-consultancy.demon.co.uk/
> Email: [EMAIL PROTECTED], PGP key:
> via homepage.
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Hard-coded trusted CA-cert
On Wed, Mar 26, 2003, rajagopalan ramanujam wrote: > hi, > > I have tested the SSL handshake but failing when > verifying server certificate > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I > generated the self signed CA and used the same CAcert > to verify using openssl verify and also using openssl > s_client -verify 1 -CAfile and it seems to be working > perfectly ok. > > Since i dont have a file system on embedded platform i > cannot use SSL_CTX_load_verify_locations(). > > I have converted the CAcert file from base64 format > to C structure using openssl utility and i am calling > SSL_CTX_use_certificate(ctx,x). Still i see that there > is an error some where. I tried calling > SSL_CTX_add_extra_chain_cert, but did not help. > You need to retrieve the trusted certificate store using SSL_CTX_get_store() and then add the certificate to it using X509_STORE_add_cert(). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Hard-coded trusted CA-cert
hi,
I have tested the SSL handshake but failing when
verifying server certificate
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I
generated the self signed CA and used the same CAcert
to verify using openssl verify and also using openssl
s_client -verify 1 -CAfile and it seems to be working
perfectly ok.
Since i dont have a file system on embedded platform i
cannot use SSL_CTX_load_verify_locations().
I have converted the CAcert file from base64 format
to C structure using openssl utility and i am calling
SSL_CTX_use_certificate(ctx,x). Still i see that there
is an error some where. I tried calling
SSL_CTX_add_extra_chain_cert, but did not help.
Can anyone let me know what's wrong in my code?
unsigned char CA_cert[811]={
0x30,0x82,0x03,0x27,0x30,0x82,0x02,0x90,0xA0,0x03,0x02,.};
void ssl_client (void)
{
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);
SSL_CTX_set_cipher_list(ctx,SSL3_TXT_RSA_RC4_40_MD5);
{
X509 *x=NULL;
unsigned char* c;
/* load our CA cert into the certificate chain */
c = CA_cert;
x = d2i_X509(NULL,&c,(long) sizeof(CA_cert));
if( x == NULL ){
goto end;
}
if(!SSL_CTX_add_extra_chain_cert(ctx,x)){
goto end;
}
socket(..);
.
.
SSL_connect()
.
/* verify the server certificate */
err= SSL_get_verify_result(SSL *ssl);
.
}
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Hard-coded trusted CA-cert
Hello,
I'm newbie but now I can hardcode root certificate.Thank You!
Still one question :
X509 *x;
..
X509_free(x); //do I must call this ?
Also any example how to read certificate to/and from memory buffer would be
nice. ;-)
Boguslaw Brandys
- Original Message -
From: "Dilkie, Lee" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 26, 2002 6:20 PM
Subject: RE: Hard-coded trusted CA-cert
> Dennis,
>
> This is what I did. I think I just looked into the
SSL_CTX_load_verify_locations() function and copied what it did.
>
>
> {
>
> X509 *x=NULL;
> unsigned char* c;
>
> c = CACert;
> x = d2i_X509( NULL, &c, (long) sizeof( CACert ) );
> if( x == NULL ){
> PostErrStack( "MiSslInit(): d2i_X509(CACert) failed" );
> goto ERROR_CLEANUP;
> }
> if( !SSL_CTX_add_extra_chain_cert( sslctx, x ) ){
> PostErrStack( "MiSslInit(): SSL_CTX_add_extra_chain_cert() failed" );
> goto ERROR_CLEANUP;
> }
> }
>
> hope this helps.
>
> -lee
>
> -Original Message-----
> From: Dennis Jarosch [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 26, 2002 5:47 AM
> To: [EMAIL PROTECTED]
> Subject: Hard-coded trusted CA-cert
>
>
> Hi everybody!
>
> I'm searching for a way of hard-coding a trusted CA certificate into a
> client executable. I have browsed the archives and the documentation,
> but I was unable to find anything useful yet.
>
> Currently, I use SSL_CTX_load_verify_locations() to load my trusted
> CA-file. In my case there will only be one trusted CA and I'd prefer not
> to load it from a file.
>
> So is there a way of declaring something like this:
>
> unsigned char CACert[]={0x30,0x82,0x02,0x6B,...}
>
> which could be generated using 'openssl x509 -C -noout -in cacert.pem'
> and feeding it to the CTX for verification?
>
> Thanks for any help!
>
> Dennis
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie!
[ http://oferty.onet.pl ]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
