[openssl-users] Regarding SSL_VERIFY_PEER
Viktor Dukhovni
openssl-users at dukhovni.org
Wed May 3 12:39:43 UTC 2017
> On May 3, 2017, at 5:58 AM, john gloster <glosterj9 at gmail.com> wrote:
>
> Hi,
>
> I needed to validate different extensions of each of the Issuer certificate in the chain.
>
> Snippet rom https://linux.die.net/man/3/ssl_set_verify:
>
> "The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. "
>
> When we say "issuer attributes", could someone let me know what different stuffs in the CA certificate are validated?
For the full verification process see:
https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L208
which happens after checking that the peer's key meets the required security level at:
https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L286
The specific chain checks you may be thinking of are:
https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L448
--
Viktor.
More information about the openssl-users
mailing list