堆栈内存溢出
  简体   繁体   English

使用 BIO_do_connect() 进行证书验证

[英]Certificate verification with BIO_do_connect()

 原文  2020-03-19 02:59:58       c++/ openssl/ ssl-certificate

问题描述

Is certificate verification performed during a BIO_do_connect call?BIO_do_connect调用期间是否执行证书验证?

I am trying to understand when to use ssl_get_verify_result() .我试图了解何时使用ssl_get_verify_result() The documentation says this function should be used in conjunction with ssl_get_peer_certificate .文档说这个函数应该与ssl_get_peer_certificate结合使用。 But some of the examples ( IBM's for instance) don't, saying that OpenSSL does the verification for us.但是一些示例(例如IBM 的)没有,说 OpenSSL 为我们进行了验证。 They only call ssl_get_verify_result() after BIO_do_connect .他们只在BIO_do_connect之后调用ssl_get_verify_result()

I see that BIO_do_connect is actually a macro:我看到BIO_do_connect实际上是一个宏:

/* BIO_s_accept() and BIO_s_connect() */
#  define BIO_do_connect(b)       BIO_do_handshake(b)
#  define BIO_do_accept(b)        BIO_do_handshake(b)
# endif /* OPENSSL_NO_SOCK */

# define BIO_do_handshake(b)     BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)

So, my understanding is that BIO_do_connect does not actually check to see if the server sent a certificate.所以,我的理解是BIO_do_connect实际上并没有检查服务器是否发送了证书。 If the server does send a certificate, then ssl_get_verify_result will use that to perform verification.如果服务器确实发送了证书,则ssl_get_verify_result将使用它来执行验证。 If it doesn't send one, then ssl_get_verify_result still returns X509_V_OK .如果它没有发送,那么ssl_get_verify_result仍然返回X509_V_OK That is why we need to call ssl_get_peer_certificate to make sure that a certificate is in fact sent.这就是为什么我们需要调用ssl_get_peer_certificate来确保确实发送了证书。 Is this correct?这样对吗?

1 个解决方案

解决方案1
 2 已采纳  2020-03-19 17:08:01

If you look at the BIO_do_handshake example, you are safe to call ssl_get_verify_result / ssl_get_peer_certificate after the call to BIO_do_handshake.如果您查看BIO_do_handshake示例,您可以安全地在调用 BIO_do_handshake 之后调用 ssl_get_verify_result / ssl_get_peer_certificate。

You can customize the verification process with SSL_CTX_set_verify in which you can provide a callback verification function.您可以使用SSL_CTX_set_verify自定义验证过程,您可以在其中提供回调验证功能。 This allow you to provide your own validation rules like allowing overrides for things like self signed certificate support, etc.这允许您提供自己的验证规则,例如允许覆盖自签名证书支持等。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 客户端在BIO_do_connect上返回-1 - Client returns -1 on BIO_do_connect 内核资源泄漏BIO_do_connect - Kernel Resource Leak BIO_do_connect 如何为 BIO_do_connect 设置超时? - How to set a timeout for BIO_do_connect? 如何获取OpenSSL BIO_do_connect()失败原因? - How to get OpenSSL BIO_do_connect() failure reason? BIO_do_connect()似乎由于使用了SSL v3而失败,有没有办法获取更多诊断信息? - BIO_do_connect() fails seemingly because SSL v3 is used, is there a way to get more diagnostics? 提升asio证书验证 - boost asio certificate verification BIO_do_handshake返回0 - BIO_do_handshake return 0 如何初始化OpenSSL BIO对象? - How do I initialize the OpenSSL BIO object? SSL证书验证失败:使用OpenSSL - SSL Certificate verification fails: Using OpenSSL MITM 代理,TLS 1.2 证书验证失败 - MITM proxy, TLS 1.2 Certificate verification failed
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM