Setting Up CertStore for TLS Verification

Kreissl, Jochen Jochen.Kreissl at vector.com
Mon Jan 30 04:00:13 UTC 2023


Hi,

I am facing some uncertainties regarding how to properly set up SSL_CTX & SSL structs, so that certificate based, (mutual) authentication works (TLS 1.3).

  *   Certificates are loaded via an external lib and I get them as binary ASN.1. After parsing them into proper openssl X509 structs, I load them into a X509_Store with X509_STORE_add_cert
  *   I use the SSL_CTX_set1_cert_store method to load the thus constructed store into an SSL_CTX
  *   I also use SSL_add_client_CA to add all CA/Roots names to the Server list of available Cas (to be sent to the Client when initiating mutual auth)
  *   I have set the Verify flag to Verify_Peer via SSL_set_verify
  *   An instance's chain cert are added via SSL_add1_chain_cert
  *   An instance's key and leaf cert are added via SSL_use_certificate and SSL_use_PrivateKey respectively

Q1: Is here anything I forget with regards to the general set-up of the verification process?
Q2: Assume the Verification Certificates are loaded into SSL_CTX after an SSL struct was already created from it. Will the SSL struct "know" of the Certificate Store and access it properly? Or would I have to create a new SSL struct from SSL_CTX in order for this configuration to take effect?

Thanks everyone
Jochen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230130/bd67e29b/attachment.htm>


More information about the openssl-users mailing list