You are using OpenSSL to support SSL-enabled communication between a client and a server. You want to instruct OpenSSL to verify the certificate received from the peer.
Every SSL connection has an
SSL object, which in
turn has an
object, and that object, in turn, has
X509_STORE object. OpenSSL uses the
object as a container for any
certificates and CRLs required to verify another certificate. OpenSSL
X509_STORE_CTX object and calls
X509_verify_cert( ) for you, but not by default.
OpenSSL’s default behavior is to not verify peer certificates, which is the worst default behavior that any SSL implementation could possibly provide. By not verifying certificates in an SSL connection, the strength of the security provided by SSL is severely reduced, to the point where the two parties in the conversation might as well be using nothing more than a symmetric cipher with keys exchanged in the clear. Without verifying certificates, you will have security against passive eavesdroppers, but that is all. With a small amount of effort, anyone could hijack the TCP connection before the SSL session is established and act as a man-in-the-middle.
To have OpenSSL verify a peer’s certificate, you
must issue a call to
accepts a bitmask of flags that tell OpenSSL how to deal with
certificates. Depending on whether the
object is being used as a client ...