Peer certificate verification in verify_callback

Michel michel.sales at free.fr
Thu Apr 2 14:58:07 UTC 2020


Hi Viktor,

Could you please elaborate on "...although doing the latter potentially
gives you the
opportunity to decorate them with auxiliary trust EKUs."

Does it mean "EKUs" "out of" the certificate ?

Is it just about using X509_STORE_set_trust() and the like as mentioned in 
X509_STORE_add_cert man page or something else ?

Regards,

Michel

-----Message d'origine-----
De : openssl-users [mailto:openssl-users-bounces at openssl.org] De la part de
Viktor Dukhovni
Envoyé : lundi 30 mars 2020 23:19
À : openssl-users at openssl.org
Objet : Re: Peer certificate verification in verify_callback

[...]

> I set up an X509_STORE object and then cycle through all of the
> certificate files in /etc/ssl/certs/, open them, and call
> PEM_read_X509() to get an X509 (certificate) object and then call
> X509_STORE_add_cert(x509_stor, certificate) to read the certificates
> into  my trusted store, X509_store object.

It would be far simpler to concatenate them into a single CAfile, or use
"c_rehash" to create the symlinks need to make the directory into a
workable CApath.  You should not have to manually load them into your
own store, although doing the latter potentially gives you the
opportunity to decorate them with auxiliary trust EKUs.


> If the user of this CTX is acting as a client and the server presents
> a certificate chain, and my trusted store has the root, the connection
> will work, as the chain is verified and trusted.


[...]

-- 
    Viktor.



More information about the openssl-users mailing list