<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 1/11/2018 09:28, pratyush parimal wrote:<br>
<blockquote type="cite"
cite="mid:CALvRNOGEpt5-DWjvby=cW+25stNZNp5=DJpTApGtopbwJpWhDQ@mail.gmail.com">
<div dir="auto">Hi,
<div dir="auto"><br>
</div>
<div dir="auto">Hope everyone is having a good new year so far!</div>
<div dir="auto"><br>
</div>
<div dir="auto">I'm trying to find a way to make sure that a
private-key/public-key-cert pair I'm given, will absolutely
work when I stick them into my SSL_CTX* object and try to use
that for ssl. Short of trying to simulate a test ssl
connection over localhost for testing them out, is there a way
to ensure that?</div>
<div dir="auto"><br>
</div>
<div dir="auto">After googling, it seems that I may be able to
verify that by comparing the modulus from the key and the
cert. Does anyone know if that's sufficient, and how to do it
programmatically?</div>
</div>
</blockquote>
If you call SSL_CTX_check_private_key() on your context it will
return "0" if the private key and certificate you have loaded do not
match (and thus won't work.) If you get a "1" back then provided
you have a set of ciphers declared (or the defaults) that are
compatible on both ends so the code can negotiate a cipher set then
it should work.<br>
<br>
There is no guaranteed way to know if a connection will work from
some other piece of code you don't control, however, because it's
entirely possible for the other end to try to insist on (or only be
able to support) a protocol you have disallowed (e.g. SSLv3) or for
there to be no intersection between the cipher sets allowed by both
sides and the certificate and key constraints (never mind
certificate validation, if you are checking it.)<br>
<br>
<blockquote type="cite"
cite="mid:CALvRNOGEpt5-DWjvby=cW+25stNZNp5=DJpTApGtopbwJpWhDQ@mail.gmail.com">
<div dir="auto">
<div dir="auto"><br>
</div>
<div dir="auto">I was also wondering if I should just try to
perform an encrypt-decrypt sequence using the pair I have, and
use the success of that as confirmation that my ssl connection
will work later, as far as the certs are concerned. Would that
be the right way to go about it?</div>
<div dir="auto"><br>
</div>
</div>
</blockquote>
IMHO see above.<br>
<br>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>