21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

See Also<br />

Recipe 10.11<br />

10.7 Verifying an SSL Peer’s Certificate<br />

<strong>Problem</strong><br />

You are using OpenSSLto support SSL-enabled communication between a client and<br />

a server. You want to instruct OpenSSLto verify the certificate received from the<br />

peer.<br />

Solution<br />

Every SSLconnection has an SSL object, which in turn has an SSL_CTX object, and<br />

that object, in turn, has an X509_STORE object. OpenSSLuses the X509_STORE object as<br />

a container for any certificates and CRLs required to verify another certificate.<br />

OpenSSLcreates an X509_STORE_CTX object and calls X509_verify_cert( ) for you, but<br />

not by default.<br />

OpenSSL’s default behavior is to not verify peer certificates, which is the worst<br />

default behavior that any SSLimplementation could possibly provide. By not verifying<br />

certificates in an SSLconnection, the strength of the security provided by SSLis<br />

severely reduced, to the point where the two parties in the conversation might as well<br />

be using nothing more than a symmetric cipher with keys exchanged in the clear.<br />

Without verifying certificates, you will have security against passive eavesdroppers,<br />

but that is all. With a small amount of effort, anyone could hijack the TCP connection<br />

before the SSL session is established and act as a man-in-the-middle.<br />

Discussion<br />

To have OpenSSLverify a peer’s certificate, you must issue a call to SSL_CTX_set_<br />

verify( ). SSL_CTX_set_verify( ) accepts a bitmask of flags that tell OpenSSLhow to<br />

deal with certificates. Depending on whether the SSL_CTX object is being used as a client<br />

or as a server, the meanings of the flags are somewhat different:<br />

SSL_VERIFY_NONE<br />

When the SSL_CTX object is being used in server mode, no request for a certificate<br />

is sent to the client, and the client should not send a certificate.<br />

When the SSL_CTX object is being used in client mode, any certificate received<br />

from the server will be verified, but failure will not terminate the handshake.<br />

This flag should never be combined with any of the others, and it should normally<br />

be used only in server mode (if it is ever used at all). When operating in cli-<br />

Verifying an SSL Peer’s Certificate | 535<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!