how I can enforce OpenSSL to use my system's root CA if I make my application for linux or for windows 10 or later?
Question
I am making the following piece of code:
#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <shlwapi.h>
#if defined(WIN32) || defined(_WIN32) || defined(__WIN32) && !defined(__CYGWIN__)
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#define _CRT_SECURE_NO_WARNINGS
#include <winsock2.h>
#include <ws2tcpip.h>
#include <shlwapi.h>
// Need to link with Ws2_32.lib, Mswsock.lib, and Advapi32.lib
#pragma comment (lib, "Ws2_32.lib")
//#pragma comment (lib, "Mswsock.lib")
//#pragma comment (lib, "AdvApi32.lib")
#define WIN32_LEAN_AND_MEAN
int verifyCerts( SSL_CTX* ctx )
{
// directory where executable is
char path[MAX_PATH] = "";
memset(path, 0, MAX_PATH);
GetModuleFileName(0, path, MAX_PATH);
PathRemoveFileSpec(path);
sprintf(path,"%s\\%s",path,"certificates");
printf("\nCert path %s\n",path);
sprintf(path,"%s\\%s",path,"certificates");
printf("\nCert path %s\n",path);
int value = SSL_CTX_load_verify_locations(ctx,NULL,path);
}
#else // By default use system's CA root
int verifyCerts( SSL_CTX* ctx )
{
}
#endif
SSL_CTX* InitCTX(void)
{
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
const SSL_METHOD* method = SSLv23_method();
SSL_CTX* ctx = SSL_CTX_new(method);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
if (ctx == NULL)
{
ERR_print_errors_fp(stderr);
abort();
}
int value = verifyCerts( ctx );
if(value == 0) {
printf("Certificate error\n");
exit(1);
}
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
return ctx;
}
In my case I want to do the following:
- For windows XP (legacy application) to provide certificates alongside to my application so I can mame my application as sacure as possible.
- At any other case (for linux systems or windows 10 or above) I'll use the OS's default CA certs (no hussle to provide my own).
So how I can ensure that the latter case is applicable as well?
1 answers
solution1
0 2022-08-01 07:29:16
At #else section just place the following code:
int verifyCerts( SSL_CTX* ctx )
{
const char *path = getenv(X509_get_default_cert_dir_env());
if (!path){
path = X509_get_default_cert_dir();
}
return SSL_CTX_load_verify_locations(ctx,NULL,path);
}
That will allow for linux systems to verify using default certs path. So for wondows XP only we can use custom mingw flags.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How do I make my application use the Windows theme?
How can I convert my Windows C program to run on a Linux system?
How can I get my C program running time in ms not s on Windows10?
How do I make my application follow the system theme?
How can I use BoringSSL in Linux that already has OpenSSL installed?
I need 10 result with loop but I can't make it I can only get 4 result how I can fix my loop
OpenSSL libs: 2 on Linux libcrypto and libssl and more than 13 on windows. What shall I link on windows to compile my sample?
How can I use my C++ DLLs with a C application?
How can I use Git's malloc wrapper in my code?
How can I determine the space/size of my drive programatically? Both in LInux and on Windows
Related Tags