[DeleGate-En] Re: How to verify a server's certificate?
In message <_A4059@delegate-en.ML_> on 08/11/08(01:21:53)
you Monika Schilling <firstname.lastname@example.org> wrote:
|This is because I want more than the answer "There is some CA certificate
|which verifies the certificate of the peer". In order to raise the security
|level my intension is to specify the CA certificate explicit and to ignore
|the bunch of preinstalled certificates in the system certs folder
|(/etc/ssl/certs) of the OpenSSL installation of my openSUSE Linux
|OpenSSL Test Case for 2.
| ms@r50e-ms:~/tmp/DeleGate> openssl verify -verbose -CApath emptyDir
| -CAfile vsign1.pem pop.1und1.de.pem
I implemented sslway.c of DeleGate to be compatible with the behavior of
"apps/s_client.c" of OpenSSL. So if you test it with "openssl s_client"
rather than "openssl verify", you will see the same result with the one
|I get a verification error. Obviously the system certs folder is still in
|Is this by intension? Touching the system certs folder is not an option for
Maybe it is because sslway.c loades the default location of certificates
together with the explicitly specified certificates.
If it is the case, it can be disabled by removing the call to
"SSL_CTX_set_default_verify_paths(ctx)" from ssl_setCAs() in
9 9 Yutaka Sato <email@example.com> http://delegate.org/y.sato/
( ~ ) National Institute of Advanced Industrial Science and Technology
_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller