2

I am using SSL to create a secure connection and using the certificate which is certified by the CA. After making the ssl session, I want to check the validity of the certificate and if it is not valid, i need to break all the ongoing session.

How can I track the ongoing ssl sessions to check how many sessions are established using this certificate. Is there any api to track the ssl active session.

Shall I use SSL_CTX_remove_session() to terminate the SSL session. Or is there any specific API for terminating the SSL session in openSSL. If resumption is supported, is it will keep a separate copy of this session.

Kyle Trauberman
  • 25,414
  • 13
  • 85
  • 121
user1345697
  • 405
  • 2
  • 5
  • 15
  • Not valid how? If the certificate really isn't valid the session won't even open: for example, if it is corrupt or not trusted. – user207421 May 09 '12 at 09:00
  • If the certificate is revoked after the session establishment phase, then i want to break the session – user1345697 May 09 '12 at 11:17
  • possible duplicate of [x509 certificate verification in C](http://stackoverflow.com/questions/2756553/x509-certificate-verification-in-c) – jww Mar 03 '14 at 05:22

1 Answers1

5

After connecting to the server you can get the certificate verification result via SSL_get_verify_result() see man page.

Afterwards you can get the associated session for a connection via SSL_get_session() man page and remove it from the session cache via SSL_CTX_remove_session().

This will not cancel each connection which is using this session, but it will ensure that no new connection is reusing the old (invalidated and removed) session. To close the connection use SSL_shutdown().

Do not forget to add OCSP and CRL checks to your code.

If you really want to track used sessions, one way would be to include your own session handling callbacks see Documentation for Session handling and keep track of the SSL objects which need to be terminated.

EDIT after comment:

this code should allow you to recheck the certificate anytime, and recheck the CRL-status. 

  X509_CRL *crl;
  /* load crl */
  FILE *fp = fopen(/*path to crl */, "r");
  d2i_X509_CRL_fp(dp, &crl);

  X509 *cert = SSL_get_peer_certificate(ssl); //ssl is your running connection
  X509_STORE *store = SSL_CTX_get_cert_store(ctx);
  /* add crls */
  X509_STORE_add_crl(store, crl);
  X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
  X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
  X509_STORE_set1_param(store, param);

  X509_STORE_CTX *csc = X509_STORE_CTX_new();
  X509_STORE_CTX_set_verify_cb(csc, /* your verify callback here */);
  X509_STORE_init(csc, store, cert, NULL);
  int ret = X509_verify_cert(csc);
dwalter
  • 7,258
  • 1
  • 32
  • 34
  • Thanks for your answer. SSL_get_verify_result() will give the return value which is set at the time of connection establishment. I want to check the certificate revocation status for the ongoing connections. – user1345697 May 09 '12 at 11:58
  • I've added some sample code to the answer, I hope this is more helpful. – dwalter May 09 '12 at 12:12
  • It would be very helpful if you add the sample code. Is it like OCSP_basic_verify() in crypto/ocsp/ocsp_vfy.c – user1345697 May 09 '12 at 12:24
  • I have maintaining CRL. I Just want to check my certificate is included in that list or not. Is ther any OpenSSL api for that. Or i need to go through the list to find out – user1345697 May 11 '12 at 11:34
  • above code example check's if the certificate is revoked via the CRL and additionally revalidates the certificate (needed if the lifetime of the certificate is over). – dwalter May 11 '12 at 11:37
  • Is there any openssl api or methods to check the file name of the certificate which is present in the ssl connection. – user1345697 May 15 '12 at 04:56
  • I don't understand your question. What filename should be available ? – dwalter May 15 '12 at 08:15
  • I mean the certificate name. No the content. I want to compare the certificate name instead of full certificate. My one module will update the crl status and dump the name of the cert which is revoked. In another module, I just want to check my cert (for the already running ssl session) is included in this list or not(to avoid the crl check again). – user1345697 May 15 '12 at 08:44
  • So you mean the subject name. `X509_NAME_oneline(X509_get_subject_name(cert), buf, 256);` would be a way to get the subjectname into a `char buf[256]`. – dwalter May 15 '12 at 10:01
  • Not the subject name. I mean the certificate filename which is used for creating ssl connection. ( eg : client1-ipsec.pem - The arg filename which is used for SSL_CTX_use_PrivateKey_file(filename,type) ). I don't want to parse the certificate. – user1345697 May 15 '12 at 10:46
  • you cannot get the certificates filename over a remote connection, since it is absolutely not part of the certificate. To identify a certificate you can use the hash-value of the certificate and the serial-number + issuer. Or as I mentioned earlier the subject-name (subject alternative names if used). – dwalter May 15 '12 at 10:50
  • You're welcome. Hope my answer helped you, and you may want to accept it as solution to your question. – dwalter May 15 '12 at 11:00
  • Using API how can I verify the expiry date of a x509 certificate.I just want to check only expiry date. – user1345697 Jun 07 '12 at 07:58
  • Got information - if (X509_cmp_current_time(X509_get_notAfter(cert)) < 0) - Certificate has expired.\n" – user1345697 Jun 07 '12 at 10:52