Re: Regarding SSL_VERIFY_PEER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On May 3, 2017, at 5:58 AM, john gloster <glosterj9@xxxxxxxxx> wrote:
> 
> Hi,
> 
> I needed to validate different extensions of each of the Issuer certificate in the chain.
> 
> Snippet rom https://linux.die.net/man/3/ssl_set_verify:
> 
> "The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. "
> 
> When we say "issuer attributes", could someone let me know what different stuffs in the CA certificate are validated?

For the full verification process see:

   https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L208

which happens after checking that the peer's key meets the required security level at:

   https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L286

The specific chain checks you may be thinking of are:

   https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L448

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux