search

prbinu / tls-scan

An Internet scale, blazing fast SSL/TLS scanner ( non-blocking, event-driven )
https://prbinu.github.io/tls-scan
Other
283 stars 54 forks source link

Question on certificate validation #26

Closed ealashwali closed 5 years ago

ealashwali commented 5 years ago

I am sorry that I seem to be misusing the issues section but if there is another way of communication, I will appreciate letting me know.

Just need a bit of clarification on the certificate and host validation process. Namely, the result of the:

"verifyCertResult": true,
"verifyHostResult": true

1) For verifyCertResult I see in the code it calls: SSL_get_verify_result(ssl) Can you please clarify 1) which function makes the verification? Is it going to use the X509_verify_cert(), or is there anything else? 2) What it verifies exactly? e.g. signature, chain, etc. Can you specify what it verifies exactly for clarity please? and plz provide me with a link of the verification function that will be used from the library.

2) Regarding the X509_check_host, does the certificate verification in the previous point includes host verification or not?

prbinu commented 5 years ago

For cert verification, we use this function: https://www.openssl.org/docs/man1.0.2/man3/SSL_get_verify_result.html

For host, X509_check_host() function is used: https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html

cert and host verifications are separate.