OpenSSL
OpenSSL - 在证书链中查找错误深度(OpenSSL - find error depth in certificate chain)我正在编写一个C程序来使用OpenSSL检索和验证x509证书链。 这是我第一次使用C编程,并且在很大程度上依赖于。
我可以使用下面的代码从连接中检索任何错误代码:
if (SSL_get_verify_result(ssl) != X509_V_OK){ printf("\nError verifying certificate\n"); fprintf(stderr, "Error Code: %lu\n", SSL_get_verify_result(ssl));}但是我还需要知道哪个证书是违规证书。 是否有办法确定错误的链深度,如命令行s_client? 任何示例代码将不胜感激。
I am writing a C program to retrieve and verify an x509 certificate chain using OpenSSL. This is my first time programming in C and am relying heavily on the tutorial at /
I am able to retrieve any error code from the connection using the code below:
if (SSL_get_verify_result(ssl) != X509_V_OK){ printf("\nError verifying certificate\n"); fprintf(stderr, "Error Code: %lu\n", SSL_get_verify_result(ssl));}however I also need to know which certificate is the offending one. Is there are way to determine the chain depth of the error like the command line s_client? Any example code would be greatly appreciated.
最满意答案我在Chandra,Messier和Viega的“Network Security with OpenSSL”中找到了答案。
它使用SSL_CTX_set_verify指定一个回调函数,该函数在链中每个证书的验证例程之后运行。
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);int verify_callback(int ok, X509_STORE_CTX * store){ if (!ok) //if this particular cert had an error { int depth = X509_STORE_CTX_get_error_depth(store); int err = X509_STORE_CTX_get_error(store); }}I found my answer in "Network Security with OpenSSL" by Chandra, Messier and Viega.
It uses SSL_CTX_set_verify to designate a callback function that gets run after the verification routine for each certificate in the chain.
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);int verify_callback(int ok, X509_STORE_CTX * store){ if (!ok) //if this particular cert had an error { int depth = X509_STORE_CTX_get_error_depth(store); int err = X509_STORE_CTX_get_error(store); }}