Open github-monoculture opened 6 years ago
Verification for chain of certs is done while handshake phase, and I don't think libtls has the way to show it. Not by API though, you can use openssl s_client command to check the certs chain.
I used libtls's tls_peer_cert_chain_pem() and then used libressl code to get the X509s, etc.
This was intended as an enhancement request — to be able to deal with the chain in sane libtls code — but I don’t spend time on github and so have no idea how to set labels (if I’m even permitted to).
The preferred way of untrusting certificates would be to remove these issuers from the trusted root CAs. That aside, it seems that you're wanting a way to get a list of the subjects and issuers for each of the certificates in the trust chain (without resorting to parsing PEM) - is there any particular API that you had in mind for this?
I switched my client to libtls the other day and the one difficulty was that I had to cobble together some libressl code to find the issuer name at the end of the chain (to distrust old Symantec-issued certificates, similar to chrome & firefox). Since I don’t understand libressl in detail, that part of my code is probably shaky.