Verifying private certificate before SSL connection
I need to implement new requirement to verify private certificate before it is used for SSL/TLS connection. Basically I should not use certificate that is expired or revoked. I am working with OpenSSL 0.9.8i. I made function similar to what we are using to verify peer certificate but I am experiencing crashes in X509_verify_cert function. I wonder if anybody is verifying private certificate used for SSL/TLS connection? Any tip would be greatly appreciated. Liz I prepared ssl_ctx by loading CA, CRL, ciphers and private certificate. He is code fragment showing the major steps. SSL *ssl; X509 *x509 = NULL; X509_STORE_CTX *ctx; X509_STORE *cert_store = NULL; ssl = SSL_new(ssl_ctx); x509 = SSL_get_certificate (ssl); /* x509 = SSL_get_peer_certificate (ssl);*/ cert_store = SSL_CTX_get_cert_store(ssl_ctx); X509_STORE_set_verify_cb_func(cert_store, _verifyCertificateCallback); ctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(ctx, cert_store, x509, NULL); X509_verify_cert(ctx); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Verifying private certificate before SSL connection
Hello, I need to implement new requirement to verify private certificate before it is used for SSL/TLS connection. Basically I should not use certificate that is expired or revoked. I am working with OpenSSL 0.9.8i. I made function similar to what we are using to verify peer certificate but I am experiencing crashes in X509_verify_cert function. I wonder if anybody is verifying private certificate used for SSL/TLS connection? Any tip would be greatly appreciated. Liz I prepared ssl_ctx by loading CA, CRL, ciphers and private certificate. He is code fragment showing the major steps. SSL *ssl; X509 *x509 = NULL; X509_STORE_CTX *ctx; X509_STORE *cert_store = NULL; ssl = SSL_new(ssl_ctx); x509 = SSL_get_certificate (ssl); /* x509 = SSL_get_peer_certificate (ssl);*/ cert_store = SSL_CTX_get_cert_store(ssl_ctx); X509_STORE_set_verify_cb_func(cert_store, _verifyCertificateCallback); ctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(ctx, cert_store, x509, NULL); X509_verify_cert(ctx); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Verifying private certificate before SSL connection
what do you mean private certificate? you mean the server wants to verify its own certificate before accepting connections? or the client wants to verify its own certificate before initiating connections? (i guess it doesn't matter either way, though.) assuming you have the CA certs and the CRLs, the openssl verify command verifies a particular certificate (doesnt matter if it's the client's or server's certificate). you should be able to model your code after that program. any case i mention what i have done: X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; /* free lookup - crash burn */ X509_STORE_CTX *cert_store_ctx = NULL; X509 *cert = NULL; /* some how, load into cert the certificate you want to verify */ cert_ctx = X509_STORE_new(); // check result /* because i have the CA certs maintained by c_rehash in a directory, i do these next two calls: */ lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); // check result result = X509_LOOKUP_add_dir(lookup, ca_dir, X509_FILETYPE_PEM); // check result cert_store_ctx = X509_STORE_CTX_new(); // check result result = X509_STORE_CTX_init(cert_store_ctx, cert_ctx, cert, NULL); // check result result = X509_verify_cert(cert_store_ctx); // if result == 0, then verification failed. otherwise, verification passed. Date: Sat, 7 Mar 2009 20:29:36 -0500 From: lizv...@sisconet.com To: openssl-users@openssl.org Subject: Verifying private certificate before SSL connection Hello, I need to implement new requirement to verify private certificate before it is used for SSL/TLS connection. Basically I should not use certificate that is expired or revoked. I am working with OpenSSL 0.9.8i. I made function similar to what we are using to verify peer certificate but I am experiencing crashes in X509_verify_cert function. I wonder if anybody is verifying private certificate used for SSL/TLS connection? Any tip would be greatly appreciated. Liz I prepared ssl_ctx by loading CA, CRL, ciphers and private certificate. He is code fragment showing the major steps. SSL *ssl; X509 *x509 = NULL; X509_STORE_CTX *ctx; X509_STORE *cert_store = NULL; ssl = SSL_new(ssl_ctx); x509 = SSL_get_certificate (ssl); /* x509 = SSL_get_peer_certificate (ssl); */ cert_store = SSL_CTX_get_cert_store(ssl_ctx); X509_STORE_set_verify_cb_func(cert_store, _verifyCertificateCallback); ctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(ctx, cert_store, x509, NULL); X509_verify_cert(ctx); __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org _ Windows Liveā¢ Contacts: Organize your contact list. http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verifying private certificate before SSL connection
Found the problem... The x509 pointer should not be free since the ssl_ctx will continue to use it. Thanks Liz Liz Voss wrote: Hello, I need to implement new requirement to verify private certificate before it is used for SSL/TLS connection. Basically I should not use certificate that is expired or revoked. I am working with OpenSSL 0.9.8i. I made function similar to what we are using to verify peer certificate but I am experiencing crashes in X509_verify_cert function. I wonder if anybody is verifying private certificate used for SSL/TLS connection? Any tip would be greatly appreciated. Liz I prepared ssl_ctx by loading CA, CRL, ciphers and private certificate. He is code fragment showing the major steps. SSL *ssl; X509 *x509 = NULL; X509_STORE_CTX *ctx; X509_STORE *cert_store = NULL; ssl = SSL_new(ssl_ctx); x509 = SSL_get_certificate (ssl); /* x509 = SSL_get_peer_certificate (ssl);*/ cert_store = SSL_CTX_get_cert_store(ssl_ctx); X509_STORE_set_verify_cb_func(cert_store, _verifyCertificateCallback); ctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(ctx, cert_store, x509, NULL); X509_verify_cert(ctx); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
