[Vpn-help] Chain verification on server certificate?
Matthew Grooms
mgrooms at shrew.net
Thu Apr 26 02:07:27 CDT 2007
Tai-hwa Liang wrote:
>>
>>> If I remembered correctly, OpenSSL supports chain verification
>>> through adding hashed directory(X509_LOOKUP_add_dir()). I'm wondering
>>> about how to get Shrew VPN Client to support chain verification on
>>> server certificate?
>>>
>> There may be some issues with the certificate verification code that will
>> require some modifications to support this. I think there is still
>> enough time to get these fixes into the 2.0 final release.
>>
>> Unfortunately, I don't have a setup like this so I will need someone to
>> verify that the changes I make will fix the issue you identified. Would
>> you be willing to test some private beta builds?
>
> Sure. Feel free to point me the downloading URL. :)
>
Hello again,
I looked though the openssl documentation today with the intent of
fixing the problem you identified. Unfortunately, LOOKUP_add_dir appears
to be a utility function used with the X509_LOOKUP_hash_dir lookup
method. I could add support for this with just a few lines of code but
it has a very odd method of operation ...
http://www.columbia.edu/~ariel/ssleay/x509_lookup.html
... I think the other alternative would be to manually add a list of
certs to the X509 store before calling X509_verify_cert. I will try to
put this together and post a test build for you within the next day or two.
Thanks,
-Matthew
More information about the vpn-help
mailing list