I have a SSL/TLS client program using OpenSSL in C++ programming language. I am looking for methods to validate server certificate (X509
) returned by SSL_get_peer_certificate
function call. Also, I have my own CA certificate loaded using SSL_CTX_load_verify_locations
function. The CA certified the server certificate.
I am able to make SSL session to my server. Now, i want to validate server certificate received during SSL handshake using my own CA. I couldn't find a way to do it in C or C++.
#include <iostream>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <resolv.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>
#define DEFAULT_PORT_NUMBER 443
int create_socket(char *, uint16_t port_num);
int openSSL_client_init()
{
OpenSSL_add_all_algorithms();
ERR_load_BIO_strings();
ERR_load_crypto_strings();
SSL_load_error_strings();
if (SSL_library_init() < 0)
return -1;
return 0;
}
int openSSL_create_client_ctx(SSL_CTX **ctx)
{
const SSL_METHOD *method = SSLv23_client_method();
if ((*ctx = SSL_CTX_new(method)) == NULL)
return -1;
//SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2);
return 0;
}
int main(int argc, char *argv[])
{
BIO *outbio = NULL;
X509 *cert;
X509_NAME *certname = NULL;
SSL_CTX *ctx;
SSL *ssl;
int server = 0;
int ret, i;
if (openSSL_client_init()) {
std :: cerr << "Could not initialize the OpenSSL library !" << std :: endl;
return -1;
}
outbio = BIO_new_fp(stdout, BIO_NOCLOSE);
if (openSSL_create_client_ctx(&ctx)) {
std :: cerr << "Unable to create a new SSL context structure." << std :: endl;
return -1;
}
std :: cout << "Adding Certifcate" << std :: endl;
if (SSL_CTX_load_verify_locations(ctx, "ca-cert.pem", NULL) <= 0) {
std :: cerr << "Unable to Load certificate" << std :: endl;
return -1;
}
ssl = SSL_new(ctx);
server = create_socket(argv[1], atoi(argv[2]));
if (server < 0) {
std :: cerr << "Error: Can't create TCP session" << std :: endl;
return -1;
}
std :: cout << "Successfully made the TCP connection to: " << argv[1] << " port: " << atoi(argv[2]) << std :: endl;
SSL_set_fd(ssl, server);
if (SSL_connect(ssl) != 1) {
std :: cerr << "Error: Could not build a SSL session to: " << argv[1] << std :: endl;
return -1;
}
std :: cout << "Successfully enabled SSL/TLS session to: " << argv[1] << std :: endl;
//SSL_SESSION *ss = SSL_get_session(ssl);
cert = SSL_get_peer_certificate(ssl);
if (cert == NULL) {
std :: cerr << "Error: Could not get a certificate from: " << argv[1] << std :: endl;
return -1;
}
certname = X509_NAME_new();
certname = X509_get_subject_name(cert);
std :: cout << "Displaying the certificate subject data:" << std :: endl;
X509_NAME_print_ex(outbio, certname, 0, 0);
std :: cout << std :: endl;
char msg[100000] = "GET / HTTP/1.1\r\nHOST: www.siliconbolt.com\r\n\r\n";
SSL_write(ssl, msg, strlen(msg));
SSL_read(ssl, msg, 100000);
std :: cout << "Message is " << msg << std :: endl;
SSL_free(ssl);
close(server);
X509_free(cert);
SSL_CTX_free(ctx);
std :: cout << "Finished SSL/TLS connection with server" << std :: endl;
return 0;
}
int create_socket(char *ip_cstr, uint16_t port_num)
{
int fd;
struct sockaddr_in dest_addr;
fd = socket(AF_INET, SOCK_STREAM, 0);
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(port_num);
dest_addr.sin_addr.s_addr = inet_addr(ip_cstr);
memset(&(dest_addr.sin_zero), '\0', 8);
if (connect(fd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) == -1)
return -1;
return fd;
}