[openssl-users] SSL_CTX_set_cert_verify_callback and certificate access

Jordan Brown openssl at jordan.maileater.net
Fri Jan 11 18:14:28 UTC 2019

On 1/10/2019 10:55 AM, Corey Minyard wrote:
> It is unusual, perhaps, but I'm trying to implement something like ssh
> does.  I can't expect users of ser2net to obtain certificates from a
> real certificate authority, that's too high a barrier for entry.  I
> want them to be able to generate a key pair, put the public key on the
> server in their account, and authenticate against that. 

Nobody said you needed a real certificate authority.  You need a
*trusted* certificate authority.

You could put the user's self-signed certificate into their account as a
trusted CA.

However... it seems like you're reinventing ssh.  Your replacement for
ssh will likely require a custom client, which will be a pain in the
neck for your users.  Maybe you should start with an existing ssh
library and hack it until it behaves the way you need.

Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190111/ee339e9d/attachment.html>

More information about the openssl-users mailing list