Reputation: 1764
Listing the certificate chain provided by a server on SSL_connect
I'm new to security so some of the terms might be used incorrectly:
- When I create a socket connection using
SSL_connect, the server should send back the entire certificate chain so that the authenticity of the server can be verified. - For this to happen, the server needs to be configured accordingly.
- If the server doesn't send back the entire certificate chain and the intermediate certificate isn't in the client certificate store, the authenticity can't be verified. This results in the behavior experienced here in which FireFox regards a website as unsafe.
- I've also read that some browsers are able to attain the intermediate certificate automatically. However, OpenSSL doesn't behavior like this, at least by default.
- I've also been told that some (maybe all) intermediate certificates have been installed in Windows certificate stores since some Windows update was rolled out a few years ago.
I would like to view the certificates returned by the server to verify that I'm getting back the entire certificate chain. Here's what I've tried:
- I'm using
SSLv3_method. SSL_CTX_set_verifyis set usingSSL_VERIFY_NONE.- After
SSL_connectI useSSL_get_peer_cert_chainto get access to the certificate chain.
Consider:
STACK_OF(X509)* certificateChain = SSL_get_peer_cert_chain(ssl);
while (char* stackCertificate = sk_pop(certificateChain))
{
X509* certificate = (X509*)stackCertificate;
}
Is this the correct way to get the certificate chain? Is my understanding of the situation correct? Is there perhaps a better way to do this?
Thank you for your time and contribution.
Upvotes: 2
Views: 913
Answers (1)
Reputation: 1764
The following code snippet is based off code in s_client:
SSL* ssl = ...;
STACK_OF(X509)* certCollection = SSL_get_peer_cert_chain(ssl);
for (size_t i = 0; i < sk_X509_num(certCollection); i++)
{
X509* cert = sk_X509_value(certCollection, i);
...
}
As far as I understand, an SSL session must have been created otherwise SSL_get_peer_cert_chain will return null. Additionally I haven't found any evidence to contradict the list I noted in my question.
Perhaps an easier alternative would be to use the command line tool (downloaded from here):
openssl s_client -connect {server}:{port} -ssl3
Upvotes: 2
Related Questions
- Get complete certificate chain including the root certificate
- How to list certificates, trusted by OpenSSL?
- Get chain or CA issuer from x509 certificate using OpenSSL CLI
- Visual Studio: Getting all certificate issuer details from executable
- How to check which certificates are included in the certificate chain deployed to a website
- How can I get information around the full certificate chain with Nodejs?
- show entire certificate chain for a local certificate file
- SSL_CTX_set_cert_verify_callback to get the chain list
- Find client certificate information from server in OpenSSL
- OpenSSL: How to find out number of current SSL Connections?