Retrieve CA for client cert from SSL*

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Retrieve CA for client cert from SSL*

Fen Fox

Is there a way to figure out which CA the server used to validate the client certificate?

 

-Fen

http://pronouns.is/fae/faer

 

Reply | Threaded
Open this post in threaded view
|

Re: Retrieve CA for client cert from SSL*

Jan Just Keijser-2
On 24/10/19 19:55, Fen Fox wrote:

Is there a way to figure out which CA the server used to validate the client certificate?

 


on the server side?  you would have to write your own verify callback to intercept the certificate stack as it is processed. That way, you can monitor which CA openssl selected for verification.

HTH,

JJK

Reply | Threaded
Open this post in threaded view
|

Re: Retrieve CA for client cert from SSL*

OpenSSL - User mailing list

Is looking at the IssuerDN good enough?

 

Reply | Threaded
Open this post in threaded view
|

Re: Retrieve CA for client cert from SSL*

Viktor Dukhovni
In reply to this post by Jan Just Keijser-2
> On Oct 25, 2019, at 5:38 PM, Jan Just Keijser <[hidden email]> wrote:
>
>> Is there a way to figure out which CA the server used to validate the client certificate?
>  
> on the server side?  you would have to write your own verify callback to intercept the certificate stack as it is processed. That way, you can monitor which CA openssl selected for verification.

No, that's not necessary.  After the completion of the
handshake one can call SSL_get0_verified_chain(3).

This chain is only available on full handshakes, when
validation is successful (SSL_get_verify_result(3)
returns X509_V_OK).  On resumption, only the leaf
certificate is available from the resumed session,
via SSL_get_peer_certificate(3).

Of course there might not be a client certificate at all.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: Retrieve CA for client cert from SSL*

Fen Fox
SSL_get0_verified_chain was exactly what I needed, thanks!

-----Original Message-----
From: openssl-users <[hidden email]> On Behalf Of Viktor Dukhovni
Sent: Friday, October 25, 2019 11:55 AM
To: [hidden email]
Subject: Re: Retrieve CA for client cert from SSL*

> On Oct 25, 2019, at 5:38 PM, Jan Just Keijser <[hidden email]> wrote:
>
>> Is there a way to figure out which CA the server used to validate the client certificate?
>  
> on the server side?  you would have to write your own verify callback to intercept the certificate stack as it is processed. That way, you can monitor which CA openssl selected for verification.

No, that's not necessary.  After the completion of the handshake one can call SSL_get0_verified_chain(3).

This chain is only available on full handshakes, when validation is successful (SSL_get_verify_result(3) returns X509_V_OK).  On resumption, only the leaf certificate is available from the resumed session, via SSL_get_peer_certificate(3).

Of course there might not be a client certificate at all.

--
        Viktor.