1

I have a C Program using OpenSSL library to establish connection to httpbin.org using SSL/TLS. The client program is able to establish connection with the server.

Now, I want to connect to my own server whose certificate is signed by our own private or internal CA. At client side, I want to force OpenSSL to use our own CA for certificate verification. So, my question is:

How do I load my own CA certificate using the library and force it to use only that CA for verification of the server certificate?

jww
  • 97,681
  • 90
  • 411
  • 885
abhiarora
  • 9,743
  • 5
  • 32
  • 57

1 Answers1

1

Specifying which CA should be used for validation can be done in several ways, depending on how you have the CA (i.e. list of X509 sructures, single file, directory with certificates...). Since the last point is not detailed in the question I restrict the answer to the simplest case: a single CA or a list of CA's in PEM format inside a single file. Setting this file as the only CA store for validation can be done with SSL_CTX_verify_location like this:

 SSL_CTX_load_verify_locations(ctx, "ca.pem", NULL);

For further information (like error handling) see the documention and examples on how to use it.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • 2
    Telling someone to go search the web is less than helpful. Out of curiosity, why do you mostly provide answers with no code? Stack Overflow is a programming and development site, but your answers tend to be of the MCVE-deficient type. The answer above should probably be a comment. Its the reason I rarely upvote your answers. – jww Oct 15 '16 at 19:22
  • 2
    @jww: I don't think that stackoverflow is a code writing service but I think it should provide the essential information the OP is missing. In this case I think the OP did not know how to specify the CA: *"How do I load my own CA certificate using the library..."*. Therefore I've provided the name of the function used, the documentation to the function and a link to plenty of examples which show how to use the function. If you feel that more should be done feel free to do it yourself. – Steffen Ullrich Oct 16 '16 at 00:06
  • Stack Overflow is a site for programming and development questions. There is nearly no way to avoid providing functions, code, usage and explanations. Unfortunately, that means many answer will be copy/paste in nature. Perhaps you should review [How do I write a good answer to a question?](http://meta.stackexchange.com/q/7656/173448) You seem to be the only person averse to providing code in an answer. I find your position on avoiding the answer because its a code writing service is almost laughable. – jww Oct 16 '16 at 00:14
  • 1
    @jww: It is surely true that a more extensive answer which include code examples can be more helpful so I've added the essential code line demonstrating the use. But given that the OP did a [follow up question](http://stackoverflow.com/questions/40063533/client-program-to-validate-server-certificate-returned-by-ssl-get-peer-certifica) which included proper use of `SSL_CTX_verify_location` it looks like my original answer was helpful enough at least for the OP anyway. – Steffen Ullrich Oct 16 '16 at 00:48