[英]Certificate verification with BIO_do_connect()
Is certificate verification performed during a BIO_do_connect
call?在
BIO_do_connect
调用期间是否执行证书验证?
I am trying to understand when to use ssl_get_verify_result()
.我试图了解何时使用
ssl_get_verify_result()
。 The documentation says this function should be used in conjunction with ssl_get_peer_certificate
.文档说这个函数应该与
ssl_get_peer_certificate
结合使用。 But some of the examples ( IBM's for instance) don't, saying that OpenSSL does the verification for us.但是一些示例(例如IBM 的)没有,说 OpenSSL 为我们进行了验证。 They only call
ssl_get_verify_result()
after BIO_do_connect
.他们只在
BIO_do_connect
之后调用ssl_get_verify_result()
。
I see that BIO_do_connect
is actually a macro:我看到
BIO_do_connect
实际上是一个宏:
/* BIO_s_accept() and BIO_s_connect() */
# define BIO_do_connect(b) BIO_do_handshake(b)
# define BIO_do_accept(b) BIO_do_handshake(b)
# endif /* OPENSSL_NO_SOCK */
# define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
So, my understanding is that BIO_do_connect
does not actually check to see if the server sent a certificate.所以,我的理解是
BIO_do_connect
实际上并没有检查服务器是否发送了证书。 If the server does send a certificate, then ssl_get_verify_result
will use that to perform verification.如果服务器确实发送了证书,则
ssl_get_verify_result
将使用它来执行验证。 If it doesn't send one, then ssl_get_verify_result
still returns X509_V_OK
.如果它没有发送,那么
ssl_get_verify_result
仍然返回X509_V_OK
。 That is why we need to call ssl_get_peer_certificate
to make sure that a certificate is in fact sent.这就是为什么我们需要调用
ssl_get_peer_certificate
来确保确实发送了证书。 Is this correct?这样对吗?
If you look at the BIO_do_handshake example, you are safe to call ssl_get_verify_result / ssl_get_peer_certificate after the call to BIO_do_handshake.如果您查看BIO_do_handshake示例,您可以安全地在调用 BIO_do_handshake 之后调用 ssl_get_verify_result / ssl_get_peer_certificate。
You can customize the verification process with SSL_CTX_set_verify in which you can provide a callback verification function.您可以使用SSL_CTX_set_verify自定义验证过程,您可以在其中提供回调验证功能。 This allow you to provide your own validation rules like allowing overrides for things like self signed certificate support, etc.
这允许您提供自己的验证规则,例如允许覆盖自签名证书支持等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.