SSL certificate verification

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL certificate verification

Mody, Darshan (Darshan)

Hi

 

We are using SSL_CTX_use_certificate and SSL_CTX_use_certificate_chain_file APIs to load the certificates.

 

My query is when we are loading the certificate in the Context does openssl verify the certificates for e.g. whether the certificate is expired already etc.

 

Thanks  and Regards

Darshan

Reply | Threaded
Open this post in threaded view
|

Re: SSL certificate verification

Jan Just Keijser-2
On 18/12/19 09:54, Mody, Darshan Arvindkumar (Darshan) wrote:

Hi

 

We are using SSL_CTX_use_certificate and SSL_CTX_use_certificate_chain_file APIs to load the certificates.

 

My query is when we are loading the certificate in the Context does openssl verify the certificates for e.g. whether the certificate is expired already etc.


the short answer is no, it does not; the openssl library will let you load expired/invalid certificates if you do not do any explicit checks.  Use a verify_callback and call X509_verify_cert() to check the validity.

HTH,

JJK

Reply | Threaded
Open this post in threaded view
|

Re: SSL certificate verification

Viktor Dukhovni
> On Dec 18, 2019, at 11:10 AM, Jan Just Keijser <[hidden email]> wrote:
>
> the short answer is no, it does not; the openssl library will let you load expired/invalid certificates if you do not do any explicit checks.  Use a verify_callback and call X509_verify_cert() to check the validity.

The verify callback is not needed, unless one wants to log
the chain or allow some subset of errors.  What is needed
is an appropriate CAfile and/or CApath or an explicitly
specified trust-anchor stack (X509_STORE_CTX_set0_trusted()),
and of course X509_STORE_CTX_new(), X509_STORE_CTX_init()
and perhaps X509_STORE_CTX_free() unless the the object
is reused for the lifetime of the process.

--
        Viktor.