// The verify callback can be used to check whether the certificate that is // being presented is valid for the peer. For example,RFC 2818 describes // the steps involved in doing this for HTTPS. Consult the OpenSSL // documentation for more details. Note that the callback is called once // for each certificate in the certificate chain,starting from the root // certificate authority.
适当的OpenSSL使用和验证可能很棘手.根据经验,我知道我必须执行以下操作才能正确使用库:
>在Context对象上禁用SSLv2,SSLv3和Compression
>为链建设和检查提供适当的根证书
>调用SSL_get_peer_certificate并验证证书是否为非NULL
>调用SSL_get_verify_result并验证结果是X509_V_OK
>执行名称匹配(CN或SAN必须与请求的主机匹配)
OpenSSL 1.1.0将提供名称检查,但此时它仅在HEAD中提供.从OpenSSL Change Log开始:
Integrate hostname,email address and IP address checking with certificate verification. New verify options supporting checking in opensl utility.
和:
New functions to check a hostname email or IP address against a certificate. Add options x509 utility to print results of checks against a certificate.
我没有看到Boost在客户端代码中执行任何配置或检查的位置.
Boost配置究竟是什么,在使用SSL时,它在asio库组件中检查或验证的是什么?
解决方法
答案很长:当OpenSSL(或OpenSSL的Boost包装器)调用验证函数时,在这种情况下,bool verify_certificate(bool preverified,boost :: asio :: ssl :: verify_context& ctx),一组初步(或强制性的)验证已由OpenSSL完成.这在documentation中解释.
The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer’s certificate. At each level signatures and issuer attributes are checked. Whenever a verification error is found,the error number is stored in x509_ctx and verify_callback is called with preverify_ok=0. By applying X509_CTX_store_* functions verify_callback can locate the certificate in question and perform additional steps (see EXAMPLES). If no error is found for a certificate,verify_callback is called with preverify_ok=1 before advancing to the next level.
该文档还引用了一个示例,说明如何编写更细粒度的验证回调.您可以从中获取灵感,具体取决于您的需求.
编辑:为了确保Boost的内部回调函数除了调用应用程序回调函数之外没有做任何特殊操作,我看了一下engine.ipp,C模块调用OpenSSL的SSL_set_verify来设置回调函数.看看如何实现verify_callback_function.它只是调用应用程序回调.
