security - Listing the certificate chain provided by a server on SSL_connect -



security - Listing the certificate chain provided by a server on SSL_connect -

i'm new security of terms might used incorrectly:

when create socket connection using ssl_connect, server should send entire certificate chain authenticity of server can verified. for happen, server needs configured accordingly. if server doesn't send entire certificate chain , intermediate certificate isn't in client certificate store, authenticity can't verified. results in behavior experienced here in firefox regards website unsafe. i've read some browsers able attain intermediate certificate automatically. however, openssl doesn't behavior this, @ to the lowest degree default. i've been told (maybe all) intermediate certificates have been installed in windows certificate stores since windows update rolled out few years ago.

i view certificates returned server verify i'm getting entire certificate chain. here's i've tried:

i'm using sslv3_method. ssl_ctx_set_verify set using ssl_verify_none. after ssl_connect utilize ssl_get_peer_cert_chain access certificate chain.

consider:

stack_of(x509)* certificatechain = ssl_get_peer_cert_chain(ssl); while (char* stackcertificate = sk_pop(certificatechain)) { x509* certificate = (x509*)stackcertificate; }

is right way certificate chain? understanding of situation correct? there perhaps improve way this?

thank time , contribution.

the next code snippet based off code in s_client:

ssl* ssl = ...; stack_of(x509)* certcollection = ssl_get_peer_cert_chain(ssl); (size_t = 0; < sk_x509_num(certcollection); i++) { x509* cert = sk_x509_value(certcollection, i); ... }

as far understand, ssl session must have been created otherwise ssl_get_peer_cert_chain homecoming null. additionally haven't found evidence contradict list noted in question.

perhaps easier alternative utilize command line tool (downloaded here):

openssl s_client -connect {server}:{port} -ssl3

security sockets visual-c++ openssl ssl-certificate

Comments

Popular posts from this blog

assembly - What is the addressing mode for ld, add, and rjmp instructions? -

vowpalwabbit - Interpreting Vowpal Wabbit results: Why are some lines appended by "h"? -

Is there a way to convert an HTML page styled with Bootstrap CSS into email-compatible html? -