All geek questions in one place

OpenSSL and Trusted System Certifcates Certificates

So, I already know how to specify locations for trusted certificates using SSL_CTX_load_verify_locations(). Now the documentation states the following:

SSL_CTX_load_verify_locations () defines locations for ctx, at CA certificates for verification purposes. Certificates available through CAfile and CApath are trusted.

And also says:

When searching for CA certificates, the OpenSSL library will first look for certificates in the CA file, and then in the CApath.

It's good. But nothing is mentioned about certificates of trusted systems located in OPENSSLDIR .

  • Are system certificates verified after the failure of both CAfile and CApath?
  • Does the call SSL_CTX_set_default_verify_paths()override SSL_CTX_load_verify_locations()? Or do they work side by side, that is, both trusted system certificates and those specified by CAfile and CApath?
  • If certificates are manually added to the certificate store manually using SSL_CTX_get_cert_store(), i.e. SSL_CTX_load_verify_locations()it is not called at all, what happens in this case? Are only store certificates verified? In any case, disable / enable certificate verification of trusted systems in this case?
+4
source share
1 answer

. , .
:
 -
 - . SS () TR ().
 - SS (SS_C) (SS_S).
 - TR (TR_C) (TR_S) .
 - TR CA CA .

:
 - openssl verify SS_C SS_S , CAfile
 - openssl verify TR_C TR_S
,

Client/Server:
 - : SS - TR
 - SSL_CTX_set_default_verify_paths: SS - TR  - SSL_CTX_load_verify_locations SS CA: SS - TR
,

, .
SSL_CTX_set_default_verify_paths, SSL_CTX_load_verify_locations:
SSL_CTX_load_verify_locations SS CA.
 - TR -
 - SS -
-
,

X509_STORE SSL_CTX_load_verify_locations:
SS CA, SS CA.
 - SS CA: SS - TR
 - ( , ): SS - TR
 - SSL_CTX_set_default_verify_paths + SS CA: SS - TR
..

+1

Source: https://habr.com/ru/post/1613696/

More articles:


All Articles