Re: Hard-coded trusted CA-cert
hi Henson, Thanx for the suggestion. I tried the following Code : unsigned char CA_cert[811]={ 0x30,0x82,0x03,0x27,0x30,0x82.}; /* load our CA cert into the certificate chain */ c = CA_cert; x = d2i_X509(NULL,c,(long) sizeof(CA_cert)); if( x == NULL ){ goto end; } cert_store=SSL_CTX_get_cert_store(ctx); X509_STORE_add_cert(cert_store,x); if(x != NULL) X509_free(x); This code is working fine but i see a memory leak in this part of the code. I am loosing 2048 bytes on heap every time i exit out. I tried commenting this code and everything is ok.. Please can you tell the what Cleanup procedure am i missing here? thankyou, raj --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Wed, Mar 26, 2003, rajagopalan ramanujam wrote: hi, I have tested the SSL handshake but failing when verifying server certificate X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I generated the self signed CA and used the same CAcert to verify using openssl verify and also using openssl s_client -verify 1 -CAfile and it seems to be working perfectly ok. Since i dont have a file system on embedded platform i cannot use SSL_CTX_load_verify_locations(). I have converted the CAcert file from base64 format to C structure using openssl utility and i am calling SSL_CTX_use_certificate(ctx,x). Still i see that there is an error some where. I tried calling SSL_CTX_add_extra_chain_cert, but did not help. You need to retrieve the trusted certificate store using SSL_CTX_get_store() and then add the certificate to it using X509_STORE_add_cert(). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Hard-coded trusted CA-cert
hi, I have tested the SSL handshake but failing when verifying server certificate X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I generated the self signed CA and used the same CAcert to verify using openssl verify and also using openssl s_client -verify 1 -CAfile and it seems to be working perfectly ok. Since i dont have a file system on embedded platform i cannot use SSL_CTX_load_verify_locations(). I have converted the CAcert file from base64 format to C structure using openssl utility and i am calling SSL_CTX_use_certificate(ctx,x). Still i see that there is an error some where. I tried calling SSL_CTX_add_extra_chain_cert, but did not help. Can anyone let me know what's wrong in my code? unsigned char CA_cert[811]={ 0x30,0x82,0x03,0x27,0x30,0x82,0x02,0x90,0xA0,0x03,0x02,.}; void ssl_client (void) { SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); SSL_CTX_set_cipher_list(ctx,SSL3_TXT_RSA_RC4_40_MD5); { X509 *x=NULL; unsigned char* c; /* load our CA cert into the certificate chain */ c = CA_cert; x = d2i_X509(NULL,c,(long) sizeof(CA_cert)); if( x == NULL ){ goto end; } if(!SSL_CTX_add_extra_chain_cert(ctx,x)){ goto end; } socket(..); . . SSL_connect() . /* verify the server certificate */ err= SSL_get_verify_result(SSL *ssl); . } __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Hard-coded trusted CA-cert
On Wed, Mar 26, 2003, rajagopalan ramanujam wrote: hi, I have tested the SSL handshake but failing when verifying server certificate X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I generated the self signed CA and used the same CAcert to verify using openssl verify and also using openssl s_client -verify 1 -CAfile and it seems to be working perfectly ok. Since i dont have a file system on embedded platform i cannot use SSL_CTX_load_verify_locations(). I have converted the CAcert file from base64 format to C structure using openssl utility and i am calling SSL_CTX_use_certificate(ctx,x). Still i see that there is an error some where. I tried calling SSL_CTX_add_extra_chain_cert, but did not help. You need to retrieve the trusted certificate store using SSL_CTX_get_store() and then add the certificate to it using X509_STORE_add_cert(). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Hard-coded trusted CA-cert
Hello, I'm newbie but now I can hardcode root certificate.Thank You! Still one question : X509 *x; .. X509_free(x); //do I must call this ? Also any example how to read certificate to/and from memory buffer would be nice. ;-) Boguslaw Brandys - Original Message - From: Dilkie, Lee [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 26, 2002 6:20 PM Subject: RE: Hard-coded trusted CA-cert Dennis, This is what I did. I think I just looked into the SSL_CTX_load_verify_locations() function and copied what it did. { X509 *x=NULL; unsigned char* c; c = CACert; x = d2i_X509( NULL, c, (long) sizeof( CACert ) ); if( x == NULL ){ PostErrStack( MiSslInit(): d2i_X509(CACert) failed ); goto ERROR_CLEANUP; } if( !SSL_CTX_add_extra_chain_cert( sslctx, x ) ){ PostErrStack( MiSslInit(): SSL_CTX_add_extra_chain_cert() failed ); goto ERROR_CLEANUP; } } hope this helps. -lee -Original Message- From: Dennis Jarosch [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 5:47 AM To: [EMAIL PROTECTED] Subject: Hard-coded trusted CA-cert Hi everybody! I'm searching for a way of hard-coding a trusted CA certificate into a client executable. I have browsed the archives and the documentation, but I was unable to find anything useful yet. Currently, I use SSL_CTX_load_verify_locations() to load my trusted CA-file. In my case there will only be one trusted CA and I'd prefer not to load it from a file. So is there a way of declaring something like this: unsigned char CACert[]={0x30,0x82,0x02,0x6B,...} which could be generated using 'openssl x509 -C -noout -in cacert.pem' and feeding it to the CTX for verification? Thanks for any help! Dennis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie! [ http://oferty.onet.pl ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]