security - Listing the certificate chain provided by a server on SSL_connect -
security - Listing the certificate chain provided by a server on SSL_connect -
i'm new security of terms might used incorrectly:
when create socket connection usingssl_connect, server should send entire certificate chain authenticity of server can verified. for happen, server needs configured accordingly. if server doesn't send entire certificate chain , intermediate certificate isn't in client certificate store, authenticity can't verified. results in behavior experienced here in firefox regards website unsafe. i've read some browsers able attain intermediate certificate automatically. however, openssl doesn't behavior this, @ to the lowest degree default. i've been told (maybe all) intermediate certificates have been installed in windows certificate stores since windows update rolled out few years ago. i view certificates returned server verify i'm getting entire certificate chain. here's i've tried:
i'm usingsslv3_method. ssl_ctx_set_verify set using ssl_verify_none. after ssl_connect utilize ssl_get_peer_cert_chain access certificate chain. consider:
stack_of(x509)* certificatechain = ssl_get_peer_cert_chain(ssl); while (char* stackcertificate = sk_pop(certificatechain)) { x509* certificate = (x509*)stackcertificate; } is right way certificate chain? understanding of situation correct? there perhaps improve way this?
thank time , contribution.
the next code snippet based off code in s_client:
ssl* ssl = ...; stack_of(x509)* certcollection = ssl_get_peer_cert_chain(ssl); (size_t = 0; < sk_x509_num(certcollection); i++) { x509* cert = sk_x509_value(certcollection, i); ... } as far understand, ssl session must have been created otherwise ssl_get_peer_cert_chain homecoming null. additionally haven't found evidence contradict list noted in question.
perhaps easier alternative utilize command line tool (downloaded here):
openssl s_client -connect {server}:{port} -ssl3 security sockets visual-c++ openssl ssl-certificate
Comments
Post a Comment