[Vpn-help] Chain verification on server certificate?
Tai-hwa Liang
avatar at mmlab.cse.yzu.edu.tw
Thu Apr 26 22:33:38 CDT 2007
On Thu, 26 Apr 2007, Matthew Grooms wrote:
> Tai-hwa Liang wrote:
>>>
>>>> If I remembered correctly, OpenSSL supports chain verification
>>>> through adding hashed directory(X509_LOOKUP_add_dir()). I'm wondering
>>>> about how to get Shrew VPN Client to support chain verification on
>>>> server certificate?
>>>>
>>> There may be some issues with the certificate verification code that will
>>> require some modifications to support this. I think there is still
>>> enough time to get these fixes into the 2.0 final release.
>>>
>>> Unfortunately, I don't have a setup like this so I will need someone to
>>> verify that the changes I make will fix the issue you identified. Would
>>> you be willing to test some private beta builds?
>>
>> Sure. Feel free to point me the downloading URL. :)
>>
>
> Hello again,
>
> I looked though the openssl documentation today with the intent of
> fixing the problem you identified. Unfortunately, LOOKUP_add_dir appears to
> be a utility function used with the X509_LOOKUP_hash_dir lookup method. I
> could add support for this with just a few lines of code but it has a very
> odd method of operation ...
>
> http://www.columbia.edu/~ariel/ssleay/x509_lookup.html
My bad. It should be X509_LOOKUP_load_file() plus the X509_LOOKUP_file()
method to load a .pem file with certificates chain.
> ... I think the other alternative would be to manually add a list of certs to
> the X509 store before calling X509_verify_cert. I will try to put this
> together and post a test build for you within the next day or two.
If I read the sample code correctly, using X509_LOOKUP_load_file() should
save you from implementing another listbox to allow users to add cert list.
Alternatively, users will have to concatenate multiple CAs' certificates
into a single .pem file.
--
Cheers,
Tai-hwa Liang
More information about the vpn-help
mailing list