Working with sets of X.509 certificates
This is a follow-up to my Trust *only* certs signed by an intermediate CA thread. I'm ready to try my hand at writing a validation callback function, and this function will need to somehow distinguish between two different sets of CA certificates -- validation-only CAs that are used only to validate certificate chains and authorized CAs whose signees are actually allowed to connect. Does OpenSSL offer any APIs that can help with this? I see a lot of references to STACK_OF(X509) and X509_STORE in the headers, but I haven't been able to find any real documentation on these types. Tasks that I need to perform include: * Load a set of certificates from a file. * Add a loaded set of certificates to an SSL_CTX. * Efficiently determine if a certificate is a member of a set. Thanks! -- Ian Pilcher arequip...@gmail.com Sometimes there's nothing left to do but crash and burn...or die trying. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trust *only* certs signed by intermediate CA
On 03/09/2013 10:40 AM, Kyle Hamilton wrote: Create a new self-signed client CA certificate with the same key and Subject, setting the Issuer to the Subject of the client CA, and signed with the client CA private key. Use this as your client-authenticatior root. Well yes. I know I could workaround this by creating a self-signed root for the clients. The point of the question is how to do this with a hierarchy like the one I've described. It's becoming pretty clear that OpenSSL doesn't provide a simple way to do this today. (X509_V_FLAG_PARTIAL_CHAIN will probably enable this, but it will be years before that makes its way into slower moving distributions.) Alternatively, you might play around with policies, but that relies on your hierarchy already having policies in its certificates. My current thinking is that I should be able to do it with a validation callback. I haven't worked out the details yet. -- Ian Pilcher arequip...@gmail.com Sometimes there's nothing left to do but crash and burn...or die trying. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Trust *only* certs signed by intermediate CA
+-+ | Root CA | +-+ /\ / \ /\ / \ /\ / \ /\ / \ +---++---+ | Server CA || Client CA | +---++---+ Given the above CA hierarchy, how can I configure a (server) SSL_CTX to accept connections *only* from clients which present a certificate signed by the Client CA? As is well documented, I cannot simply trust the Client CA. SSL_accept() will fail, because it cannot form a certificate chain all the way to the self-signed Root CA. I have found, however, that adding the Root CA certificate to the trusted certificate file/directory causes certificates signed by the Server CA to be accepted as well. (The client has to present both its certificate and the Server CA certificate, but it is able to connect.) So how can I do this? Thanks! -- Ian Pilcher arequip...@gmail.com Sometimes there's nothing left to do but crash and burn...or die trying. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RSA_generate_key_ex documentation
I've been looking all over for this, and I can't find it. Background - I'm trying to build stunnel on a platform that doesn't include RSA_generate_key, so I need to modify it to use the newer API. At the very least, I need to know how to check the return value of the new API. Thanks! -- Ian Pilcher arequip...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_generate_key_ex documentation
On 07/11/2010 08:58 PM, Ger Hobbelt wrote: The new API is called RSA_generate_key_ex() and has a different interface. That much I know. The problem is finding the documentation for the new interface. the whole shebang bundled in a 7z for minimum transfer size. That's what I needed. (It did take me a while to figure out how to deal with a 7z file.) make install_html_docs I just downloaded openssl-1.0.0a.tar.gz from openssl.org and tried this. Neither RSA_generate_key.html nor RSA_generate_key_ex.html were created. Looking in doc/crypto, RSA_generate_key_ex.pod is not present (although RSA_generate_key.pod is). Hardly surprising that people are using the old API. I'll try e-mailing r...@openssl.org to report this. Thanks for your help! -- Ian Pilcher arequip...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RSA_generate_key_ex documentation
I've been looking all over for this, and I can't find it. Background - I'm trying to build stunnel on a platform that doesn't include RSA_generate_key, so I need to modify it to use the newer API. At the very least, I need to know how to check the return value of the new API. Thanks! -- Ian Pilcher arequip...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Change key encryption algorithm
Is it possible to change the algorithm used to encrypt private keys (when used with 'openssl req -newkey ...)? I'd like to use AES256 instead of triple-DES. Thanks! -- Ian Pilcher[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
