I'm new to security so some words can be used incorrectly:
- < Li> When I make a socket connection using
- For this, the server needs to be configured accordingly.
- If the server does not return the entire certificate chain and the Intermediate certificate is not in the client certificate store, authentication can not be verified. This shows that Firefox considers the website to be unsafe.
- I have also read this though, OpenSSL does not behave like this, at least by default.
- I have also been told that some (all) intermediate certificates have been installed in Windows certificate stores because some Windows updates have started some years ago.
SSL_connect , the server should return the entire certificate chain so that the authenticity of the server can be verified. I want to check the certificates returned by the server to prove that I am returning the entire certificate chain. Here I have tried:
- I am using
SSLv3_method -
SSL_VERIFY_NONEby usingSSL_CTX_set_verify. - I use
SSL_get_peer_cert_chainafterSSL_connectto gain access to the certificate chain.
Consider:
STACK_OF (X509) * certificate chain = SSL_get_peer_cert_chain (SSL); While (four * stackCertificate = sk_pop (certificate chine)) {X509 * certificate = (X509 *) stack certificate; } Is this the correct way to get certificate chain? Is my understanding of the situation correct? Is there a better way to do this?
Thank you for your time and contribution.
The following code snippet code is turned off in
s_client : < Pre> SSL * ssl = ...; STACK_OF (X509) * certCollection = SSL_get_peer_cert_chain (SSL); For (size_t i = 0; i & lt; sk_X509_num (authentication); i ++) {X509 * cert = sk_X509_value (authentication, i); ...} As far as I understand, an SSL session should be created otherwise the SSL_get_peer_cert_chain will return to zero. In addition, I have not found any evidence to deny the list written in my question.
Perhaps an easy-to-use command line tool (downloaded) must be used:
openssl s_client -connect {server}: {port} -ssl3 
Comments
Post a Comment