Topic: How does the client verify server certificate?
#
[Avatar]
2006-10-02 21:06:32 UTC
Hi,
As title.
It seems that most of the X509_ functions used to verify peer certificate are not implemented in wolfSSL, am I correct?
Thanks.
Peter
#
touskaProject Admin
[Avatar]
2006-10-03 18:11:15 UTC
Yes. wolfSSL takes a different approach to certificate verification than other embedded SSL libraries. Verification is on by default so dates, signatures, and names are checked unless you turn verification off. If you don't provide a CA cert or the wrong one for example, a wolfSSL client will fail to connect. Is there a particular X509 function you want?
#
ngustavson
[Avatar]
2006-10-03 19:30:02 UTC
I've done several openssl->wolfssl ports now and typically I have to comment out the cert verification stuff to get it working.
I see the auto cert. checking you mentioned touska.
If they are effectively being implemented, then for openssl compatiblity it would probably be better to implement some kind of stubs for these functions(not just the headers), otherwise you get undefined errors when you try to compile against them.
(at least I do, but I'm compiling directly against the static lib instead of using libtool)
thx,
NZG
#
ngustavson
[Avatar]
2006-10-03 21:08:44 UTC
Also, it would be good if some sort of error message was displayed when a certificate is rejected to to a future date.
I spent a couple hours on that before I realized my clock wasn't set correctly.
BTW.
All and all this is a very nice software package, keep up the good work!
NZG
#
touskaProject Admin
[Avatar]
2006-10-03 22:20:14 UTC
Thanks for the suggestions. I've checked in a change that makes sure certificate errors are propagated all the way back to the caller and I've removed wolfSSL ssl functions from the header that aren't implemented yet.
#
panpipi
[Avatar]
2006-10-04 04:50:26 UTC
"If you don't provide a CA cert or the wrong one for example, a wolfSSL client will fail to connect."
My question is not about absence of CA cert or wrong CA cert but about how to do some "post connection check" like making sure that the server presents a certificate that contains the FQDN of the server's address. For this I may need to iterate thru X.509 extensions and use the extension-specific parsing routines to find all extensions that are "subjectAltName" fields, "dNsName" fields, or just commonName field.
So, probably at least I will need SSL api like:
* SSL_get_peer_certificate()
* X509_get_subject_name()
* X509_NAME_get_text_by_NID
Please correct me if I miss or mistake something here. Thanks.
Peter
#
touskaProject Admin
[Avatar]
2006-10-04 08:21:18 UTC
No mistake, I'll add these. I just wanted to make sure you understood that wolfSSL was doing all the other checks automatically. Not enough people check the chain, dates, and signature (which wolfSSL does) let alone the Domain Name. Maybe I should add a function to do that during verification so that no post check is needed by default?
#
panpipi
[Avatar]
2006-10-04 17:29:18 UTC
It is good with builtin check of Domain Name or whatever field to assure that the server connected is the one a client is wanting to connect with.
Builtin check can be a more compact footprint than the X509_xxx functions plus extra application code to use them.
peter