Setting Up CertStore for TLS Verification
Kreissl, Jochen
Jochen.Kreissl at vector.com
Mon Jan 30 04:00:13 UTC 2023
Hi,
I am facing some uncertainties regarding how to properly set up SSL_CTX & SSL structs, so that certificate based, (mutual) authentication works (TLS 1.3).
* Certificates are loaded via an external lib and I get them as binary ASN.1. After parsing them into proper openssl X509 structs, I load them into a X509_Store with X509_STORE_add_cert
* I use the SSL_CTX_set1_cert_store method to load the thus constructed store into an SSL_CTX
* I also use SSL_add_client_CA to add all CA/Roots names to the Server list of available Cas (to be sent to the Client when initiating mutual auth)
* I have set the Verify flag to Verify_Peer via SSL_set_verify
* An instance's chain cert are added via SSL_add1_chain_cert
* An instance's key and leaf cert are added via SSL_use_certificate and SSL_use_PrivateKey respectively
Q1: Is here anything I forget with regards to the general set-up of the verification process?
Q2: Assume the Verification Certificates are loaded into SSL_CTX after an SSL struct was already created from it. Will the SSL struct "know" of the Certificate Store and access it properly? Or would I have to create a new SSL struct from SSL_CTX in order for this configuration to take effect?
Thanks everyone
Jochen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230130/bd67e29b/attachment.htm>
More information about the openssl-users
mailing list