Re: Pre-Check User Certificate for TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 22, 2023 at 02:18:24PM +0000, Kreissl, Jochen wrote:

> I'd like to perform a preliminary (programmatical) check as to whether
> a given certificate (chain) can be used for TLS operations (given a
> configured  SSL_CTX if required) or not.  Is there any easy way to
> achieve this?

    $ openssl verify -show_chain \
        -trusted <expected root ca set> \
        -untrusted <intermediate signer chain> \
        -purpose <sslserver|sslclient> \
        <leaf certificate> ...

See the docs for details.

> I get the Certs to use via an external library and it may happen that
> the user has configured something wrong and I end up getting something
> like an RSA certificate for a TLS 1.3-only Server (which doesn't work
> obviously).

RSA works fine with TLS 1.3.  Not sure what failure you're finding
"obvious".

> Now if I just proceed with starting the handshake, I'll
> get very unhelpful openssl errors, e.g.  version_negotiation_failed -
> which have little to do with the actual problem at hand.

Also unclear what that has to do with the certificate.

> Thus, I'd like to try and pre-check and at least warn/log something to
> help troubleshoot the issue.

Sounds like your real problem is TLS, not certificates.

-- 
    Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux