How to verify when server's certificate issued by unknown authority?
When my client connects to a server for the first time and the server
responds with a certificate that has been issued by an unknown
authority, I want to present the server certificate to the user and ask
them if they want to trust this certificate. On subsequent connects we
should go through just fine. This is what web browsers do, for example
It seems like I can't just add that server certificate to the client's
list of CA certificates and expect this to work.
So my current thinking is that I need to create a custom verify
function, and set it with SSL_CTX_set_verify(). Then, if the certificate
verify failed (like it would in this case), ask the user. If yes, change
the failure code to success, and store the server certificate so we can
check new connects against the list of user approved certs. I should be
able to just match the hash of the certificates, I presume.
Does this seem correct, or are there better/other ways?
PS. It seems like this would be frequent enough need that there should
be something like SSL_CTX_load_peer_certificates(),
SSL_CTX_add_peer_certificate() without requiring everyone to write
custom (and error prone) verification routines. Assuming my approach
above is correct, of course.