I’m using openssl to develop an application and basically I need to find a way to add the remote certificate to the store if the user chooses to. I’m quite new to openssl but I’m sure that this is where I would put the logic to add the certificate:
if(SSL_get_verify_result(ssl) != X509_V_OK) {
printf("Certificate did not validate.\nDo you wish to add this certificate to the trust certificate store?(yes/no)\n");
char response[3];
while(1) {
scanf("%s", response);
if(strcmp(response, "yes") == 0) {
/* Add the certificate */
break;
}
else if(strcmp(response, "no") == 0) {
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
else {
printf("yes or no, please.\n");
}
}
}
I tried the openssl documentation but I found it to be quite messy and it’s difficult to find any specifics in there. Any help would be appreciated.
If a verification fails, that means that your certificate validation path, the one you’ve loaded with SSL_CTX_load_verify_locations() method (or similar), could not verify the certificate coming from peer (you can get this certificate with SSL_get_peer_certificate() method).
That means that the certificate you’re trying to validate is not signed by any of the certificates in your chain and, unless you change the chain, it will never be validated.
To do what you wish will depend on whether the certificate you’re trying to validate is a self-signed certificate or not. If it is a self-signed certificate, all you need to do is to add it to where you’re getting your trust locations from (the location you specify when calling SSL_CTX_load_verify_locations() method). If it’s not self-signed, you will have to find a way to get the whole chain for that certificate and that depends on the environment you’re working on.
Regards.