[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: Re: Creating PEM file from peer cert
From: Lutz Jaenicke <Lutz.Jaenicke () aet ! TU-Cottbus ! DE>
Date: 2001-11-27 10:47:28
[Download RAW message or body]
On Mon, Nov 26, 2001 at 11:15:15AM -0800, ct l wrote:
> I am working on client. Now I use
> X509_STORE_CTX_get_chain(ctx) in the
> verify_callback(,ctx), trying to store the server cert
> chain for future verification. However, the
> _get_chain() always return a stack with just one X509
> object (st->num=1), which is the cert similar to
> X509_STORE_CTX_get_current_cert().
>
> Is there anyway for me to extract the server/peer root
> certificate during verify_callback()? Anything that I
> overlooked?
The certificate chain is the chain sent by the peer. If the peer does not
send the chain, there is nothing you can do to obtain the CA certificate(s)
short of asking the admin to send it to you by email :-)
The OpenSSL library does not allow to preload a peer's certificate and
simply trust it. You may emulate this behaviour in the verify_callback(),
but I don't have a code sample. If I remember correctly I discussed this
issue publicly on this list some time ago.
I do use Konqueror at home and it does seem to support peer certificate
checking, so you may want to check out the Konqueror source.
Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic