Open github-monoculture opened 6 years ago
kinichiro
commented
6 years ago Verification for chain of certs is done while handshake phase, and I don't think libtls has the way to show it. Not by API though, you can use openssl s_client command to check the certs chain.
github-monoculture
commented
6 years ago I used libtls's tls_peer_cert_chain_pem() and then used libressl code to get the X509s, etc.
github-monoculture
commented
6 years ago This was intended as an enhancement request — to be able to deal with the chain in sane libtls code — but I don’t spend time on github and so have no idea how to set labels (if I’m even permitted to).
4a6f656c
commented
6 years ago The preferred way of untrusting certificates would be to remove these issuers from the trusted root CAs. That aside, it seems that you're wanting a way to get a list of the subjects and issuers for each of the certificates in the trust chain (without resorting to parsing PEM) - is there any particular API that you had in mind for this?
I switched my client to libtls the other day and the one difficulty was that I had to cobble together some libressl code to find the issuer name at the end of the chain (to distrust old Symantec-issued certificates, similar to chrome & firefox). Since I don’t understand libressl in detail, that part of my code is probably shaky.