Excerpts from Kurt Roeckx's message of Wed Oct 31 20:07:31 +0100 2012: > On Wed, Oct 31, 2012 at 07:37:25PM +0100, Michal Suchanek wrote: > > Package: openssl > > Version: 1.0.1c-4 > > Severity: important > > > > Hello, > > > > I tried to get certificate validation working in an application using > > OpenSSL. > > > > I added to call the verification routine and it rejects invalid > > certificates all right but forwarding the server connection through > > local inetd+nc does not produce an error. > > > > Looking for working applications I tried openssl s_client and it > > verifies the hijacked connection too. > > s_client should properly verify the result, and show you that > there is an error. It will then continue even when the > verifications fails. See the manual.
Yes, the verify result is 0 as is in my test application. No error is reported. > > > Is there any example of application using openssl that can correcly > > verify server certificates at all? > > As far as I know curl at least curl does the right thing by > default. It uses gnutls so that's not surprising. gnutls has well documented interface for that. > > See the SSL_get_verify_result() man page. Yes, that I do and get no error. > > Please note that just calling function is not enough, you also > need to call SSL_get_peer_certificate(). That would be required to verify that the server did send a certificate at all according to the docs. It does send one so this is not the issue. > > Also it's not because the certificate verifies that you are connected > to the right hostname and you need to check that yourself and you > might want to look at rfc 2818 for that. So to verify that you parse the certificate returned SSL_get_peer_certificate manually in every application that uses OpenSSL, and even the openssl authors did not bother to do that in s_client. Awesome. Thanks Michal -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org