Hi,
I am facing some uncertainties regarding how to properly set up SSL_CTX & SSL structs, so that certificate based, (mutual) authentication works (TLS 1.3).
- Certificates are loaded via an external lib and I get them as binary ASN.1. After parsing them into proper openssl X509 structs, I load them into a X509_Store with
X509_STORE_add_cert
- I use the
SSL_CTX_set1_cert_store method to load the thus constructed store into an SSL_CTX
- I also use
SSL_add_client_CA
to add all CA/Roots names to the Server list of available Cas (to be sent to the Client when initiating mutual auth)
- I have set the Verify flag to Verify_Peer via
SSL_set_verify
- An instance’s chain cert are added via
SSL_add1_chain_cert
- An instance’s key and leaf cert are added via
SSL_use_certificate
and SSL_use_PrivateKey
respectively
Q1: Is here anything I forget with regards to the general set-up of the verification process?
Q2: Assume the Verification Certificates are loaded into SSL_CTX after an SSL struct was already created from it. Will the SSL struct “know” of the Certificate Store and access it properly? Or would I have to create a new SSL struct from
SSL_CTX in order for this configuration to take effect?
Thanks everyone
Jochen
