Article delegate-en/4060 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How to verify a server's certificate?
11 Aug 2008 02:45:48 GMT (Yutaka Sato)
The DeleGate Project

Hi Monika,

In message <_A4059@delegate-en.ML_> on 08/11/08(01:21:53)
you Monika Schilling <> wrote:
 |This is because I want more than the answer "There is some CA certificate 
 |which verifies the certificate of the peer". In order to raise the security 
 |level my intension is to specify the CA certificate explicit and to ignore 
 |the bunch of preinstalled certificates in the system certs folder 
 |(/etc/ssl/certs) of the OpenSSL installation of my openSUSE Linux 
 |distribution completely.
 |OpenSSL Test Case for 2.
 |  ms@r50e-ms:~/tmp/DeleGate> openssl verify -verbose -CApath emptyDir
 |    -CAfile vsign1.pem

I implemented sslway.c of DeleGate to be compatible with the behavior of
"apps/s_client.c" of OpenSSL.  So if you test it with "openssl s_client"
rather than "openssl verify", you will see the same result with the one
of DeleGate.

 |I get a verification error. Obviously the system certs folder is still in
 |the CApath.
 |Is this by intension? Touching the system certs folder is not an option for

Maybe it is because sslway.c loades the default location of certificates
together with the explicitly specified certificates.
If it is the case, it can be disabled by removing the call to
"SSL_CTX_set_default_verify_paths(ctx)" from ssl_setCAs() in

  9 9   Yutaka Sato <>
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]