On Wed, Feb 22, 2023 at 02:18:24PM +0000, Kreissl, Jochen wrote:
> I'd like to perform a preliminary (programmatical) check as to whether
> a given certificate (chain) can be used for TLS operations (given a
> configured SSL_CTX if required) or not. Is there any easy way to
> achieve this?
$ openssl verify -show_chain \
-trusted <expected root ca set> \
-untrusted <intermediate signer chain> \
-purpose <sslserver|sslclient> \
<leaf certificate> ...
See the docs for details.
> I get the Certs to use via an external library and it may happen that
> the user has configured something wrong and I end up getting something
> like an RSA certificate for a TLS 1.3-only Server (which doesn't work
> obviously).
RSA works fine with TLS 1.3. Not sure what failure you're finding
"obvious".
> Now if I just proceed with starting the handshake, I'll
> get very unhelpful openssl errors, e.g. version_negotiation_failed -
> which have little to do with the actual problem at hand.
Also unclear what that has to do with the certificate.
> Thus, I'd like to try and pre-check and at least warn/log something to
> help troubleshoot the issue.
Sounds like your real problem is TLS, not certificates.
--
Viktor.
