Boost logo

Boost Users :

Subject: [Boost-users] Using SSL
From: ustulation (ustulation_at_[hidden])
Date: 2013-03-11 07:31:55


Hello. this will be the first time i'll be writing an SSL and am using
boost::asio::ssl. I've gone through the articles over the net and somewhat
understand how ssl works.

I've created 3 files at server end as of now: privateKey.pem,
unsignedCertificate.csr and signedCertificate.pem. I used the server's
privateKey.pem to sign the certificate (hence the generated 3rd file). Hence
Server itself is a Certification Authority in this case (CA).

Now what i understand from theory is:
<1> During handshake client will request server's certificate.
<2> on reception the client must verify if the ceritficate is signed by the
mentioned trusted Certification Authority (CA) in the certificate. Since CA
will have used a private key to sign the certificate client will need CA's
public key stored somewhere on its machine. Use that public key file to
verify that mentioned CA did indeed sign it.
<3> if it is, then verify the certificate as a whole.

In my case, the server had used it's own private key to self-sign the
certificate.

questions:
<1> if CA was one of the trusted third parties the O.S would have stored
it's public key in default locations. In that case i guess all i needed was
ssl::context::set_default_verify_paths() and boost would have used all files
there to match against the CA and use its public key. In this case however i
need Server's public key file. Am i right? How do i get that (server's
public key)? Do i use one of the 3 files above at the client end too? Is it
load_verify_file("..") that i need to call pointing to server's public key?

<2> context::set_verify_callback : does this get called during handshake?
The handler must return bool. Suppose i return false, who will check it and
what will it do? What i am guessing is:
handshake -> blocks and runs a pre-verification test -> calls the supplied
handler -> if handler returns true, handshake is successful otherwise either
the handshake throws or fills the error code with non-zero value depending
on what flavour of handshake(...) was called. Is this correct?

<3> if i use ssl::rfc2818_verification("hostname") as verify_callback
handler, what do i pass in place of hostname if there is no hostname (ie., i
only know the server ip address).

<4> do i have to use chain of files in this case? Because the server would
just send one certificate file - the one that is signed right?

--
View this message in context: http://boost.2283326.n4.nabble.com/Using-SSL-tp4644012.html
Sent from the Boost - Users mailing list archive at Nabble.com.

Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net