*Warning

(for adventurous eaters only)


Ssl_verify_fail_if_no_peer_cert

broken image


I have a couple of questions about WolfSSL and verifying peer certificates:

  1. How To Verify Ssl Certificate
  2. Verify Ssl Cert Is Valid
  3. Verify Ssl Cert And Key
  4. Ssl_verify_fail_if_no_peer_cert

How To Verify Ssl Certificate

My applications calls

Fail verification if the peer has no certificate. Ignored unless ssl::verifypeer is set. Const int verifyfailifnopeercert = implementationdefined; Requirements. OpenSSL.SSL.VERIFYFAILIFNOPEERCERT¶ These constants represent the verification mode used by the Context object's setverify method. OpenSSL.SSL.FILETYPEPEM¶ OpenSSL.SSL.FILETYPEASN1¶ File type constants used with the usecertificatefile and useprivatekeyfile methods of Context objects. OpenSSL.SSL.OPSINGLEDHUSE¶ OpenSSL. Sslverifypeer sslverifyfailifnopeercert And it also wants to retrieve the X509 structure of each client's peer certificate in order to use information stored in it. When I use OpenSSL my application does this by calling.

Sv: sslverifyclientcert=yes does not require a client certificate invalid signature! Sebastian Fri, 26 Mar 2021 16:18:21 -0700.

with

And it also wants to retrieve the X509 structure of each client's peer certificate in order to use information stored in it.

Excel merge sheets to one page. When I use OpenSSL my application does this by calling

right after the connection has been established.

But when I use this function with WolfSSL I run into difficulties.
With WolfSSL the SSL_get_peer_certificate() function allways returns a NULL pointer, unless it is called from within

Ssl_verify_fail_if_no_peer_cert

The problem I have with this is that from within verify_callback() I have no meaningfull place to store the information retrieved from any X509 structure.
Thus, I need to call SSL_get_peer_certificate() after the connection has been established and not from within verify_callback().

Is it possible to retrieve the peer certificate X509 structure after the connection has been established?
(Or is this information discarded by WolfSSL after verify_callback() completes, to save memory?)

My second question also relates to the process of verifiying a clients peer certificate.
Do I need to do extra verification when verify_callback() is called with preverify_ok=1 ?

Verify Ssl Cert Is Valid

With openSSL my application checks that SSL_get_verify_result() returns a value of X509_V_OK, but I have noticed that WolfSSL always returns X509_V_OK when you call this function (hardcoded into the C header files).

Verify Ssl Cert And Key

Just to be sure, my application uses a certificate manager to verify the peer certificate (again) like this:

Ssl_verify_fail_if_no_peer_cert

Is this nessesary or can I trust the hardcoded X509_V_OK that SSL_get_verify_result() returns. How can i get my address.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save