使用 BIO_do_connect() 进行证书验证 [英] Certificate verification with BIO_do_connect()
问题描述
是否在 BIO_do_connect 调用期间执行证书验证?
Is certificate verification performed during a BIO_do_connect call?
我试图了解何时使用 ssl_get_verify_result().文档说这个函数应该与 ssl_get_peer_certificate 结合使用.但是一些示例(例如IBM 的)没有,说OpenSSL为我们做验证.他们只在 BIO_do_connect 之后调用 ssl_get_verify_result().
I am trying to understand when to use ssl_get_verify_result().
The documentation says this function should be used in conjunction with ssl_get_peer_certificate. But some of the examples (IBM's for instance) don't, saying that OpenSSL does the verification for us. They only call ssl_get_verify_result() after BIO_do_connect.
我看到 BIO_do_connect 实际上是一个宏:
I see that BIO_do_connect is actually a macro:
/* BIO_s_accept() and BIO_s_connect() */
# define BIO_do_connect(b) BIO_do_handshake(b)
# define BIO_do_accept(b) BIO_do_handshake(b)
# endif /* OPENSSL_NO_SOCK */
# define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
所以,我的理解是 BIO_do_connect 实际上并不检查服务器是否发送了证书.如果服务器确实发送了证书,则 ssl_get_verify_result 将使用它来执行验证.如果它没有发送,那么 ssl_get_verify_result 仍然返回 X509_V_OK.这就是为什么我们需要调用 ssl_get_peer_certificate 以确保确实发送了证书.这样对吗?
So, my understanding is that BIO_do_connect does not actually check to see if the server sent a certificate. If the server does send a certificate, then ssl_get_verify_result will use that to perform verification. If it doesn't send one, then ssl_get_verify_result still returns X509_V_OK. That is why we need to call ssl_get_peer_certificate to make sure that a certificate is in fact sent. Is this correct?
推荐答案
如果您查看 BIO_do_handshake 示例,您可以安全地在调用 BIO_do_handshake 后调用 ssl_get_verify_result/ssl_get_peer_certificate.
If you look at the BIO_do_handshake example, you are safe to call ssl_get_verify_result / ssl_get_peer_certificate after the call to BIO_do_handshake.
您可以使用 SSL_CTX_set_verify 自定义验证过程您可以提供回调验证功能.这允许您提供自己的验证规则,例如允许覆盖自签名证书支持等内容.
You can customize the verification process with SSL_CTX_set_verify in which you can provide a callback verification function. This allow you to provide your own validation rules like allowing overrides for things like self signed certificate support, etc.
这篇关于使用 BIO_do_connect() 进行证书验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
