ASIO: ssl - load_verify_file
Hello, I have implemented a TLS client/server application and will be using self-assigned certificates due to the small scale of distribution. I am currently using the function load_verify_file("ca.pem"), however I don't want to write the certificate to end-users disk. What would be the proper way to use an "in-memory or compiled" certificate for peer verification? Thanks, JC
j.c. wrote:
Hello, I have implemented a TLS client/server application and will be using self-assigned certificates due to the small scale of distribution. I am currently using the function load_verify_file("ca.pem"), however I don't want to write the certificate to end-users disk. What would be the proper way to use an "in-memory or compiled" certificate for peer verification? I was trying to do the same thing, and unfortunately there seems to be no API for this. I'm afraid you'd have to use directly the underlying implementation (OpenSSL's SSL_CTX structure), which you can access with ssl::context::impl() method. ;-(
Eugene
What is the security risk in the ca.pem to be placed on end-users machines? Thanks, j.c. On Feb 26, 2008, at 5:26 PM, Eugene M. Kim wrote:
j.c. wrote:
Hello, I have implemented a TLS client/server application and will be using self-assigned certificates due to the small scale of distribution. I am currently using the function load_verify_file("ca.pem"), however I don't want to write the certificate to end-users disk. What would be the proper way to use an "in-memory or compiled" certificate for peer verification? I was trying to do the same thing, and unfortunately there seems to be no API for this. I'm afraid you'd have to use directly the underlying implementation (OpenSSL's SSL_CTX structure), which you can access with ssl::context::impl() method. ;-(
Eugene
_______________________________________________ Boost-users mailing list Boost-users@lists.boost.org http://lists.boost.org/mailman/listinfo.cgi/boost-users
(Certificate files might be encrypted as well from the technical point of view, it however does not make sense as the data in the certificate is considered public anyway.) On Mar 6, 2008, at 2:19 PM, j.c. wrote:
What is the security risk in the ca.pem to be placed on end-users machines?
Thanks, j.c.
On Feb 26, 2008, at 5:26 PM, Eugene M. Kim wrote:
j.c. wrote:
Hello, I have implemented a TLS client/server application and will be using self-assigned certificates due to the small scale of distribution. I am currently using the function load_verify_file("ca.pem"), however I don't want to write the certificate to end-users disk. What would be the proper way to use an "in-memory or compiled" certificate for peer verification? I was trying to do the same thing, and unfortunately there seems to be no API for this. I'm afraid you'd have to use directly the underlying implementation (OpenSSL's SSL_CTX structure), which you can access with ssl::context::impl() method. ;-(
Eugene
_______________________________________________ Boost-users mailing list Boost-users@lists.boost.org http://lists.boost.org/mailman/listinfo.cgi/boost-users
_______________________________________________ Boost-users mailing list Boost-users@lists.boost.org http://lists.boost.org/mailman/listinfo.cgi/boost-users
If you really need to use your own certificates, allocate and populate your own ::X509_STORE instance and pass it to ::SSL_CTX_set_cert_store() instead of calling ::SSL_CTX_load_verify_locations(). (SSL_CTX_load_verify_locations() internally uses the same X509_STORE structure.) However, there is no public documentation of X509_STORE as of yet (see SSL_CTX_set_cert_store(3)) so you may have to dig into the OpenSSL source code in order to figure out exactly how you fill the structure out. This is getting off-topic for this list; you may want to direct further questions to openssl-users@openssl.org. And in order to make this email on-topic (well, kind of), I'm going to re-iterate: Use boost::asio::ssl::context::impl() to obtain the underlying SSL_CTX pointer, with which you can use virtually all SSL_CTX_* functions from OpenSSL. :-) Eugene j.c. wrote:
(Certificate files might be encrypted as well from the technical point of view, it however does not make sense as the data in the certificate is considered public anyway.) On Mar 6, 2008, at 2:19 PM, j.c. wrote:
What is the security risk in the ca.pem to be placed on end-users machines?
Thanks, j.c.
participants (2)
-
Eugene M. Kim -
j.c.