#8 tls::verify

Peter Hall

need a way to verify a certificate is valid before attempting to use it over
an ssl/tls connection.

added tls::verify ?-cadir? ?-cafile? -certfile

"OK" if the certificate is good to use
"BAD" if there's something wrong with the certificate.

tls::verify -cafile c:/im/certs/CAlwc.crt -certfile c:/im/certs/lwc.crt

tls::verify -cadir /demoCA/newcerts -certfile /demoCA/cacert.pem


  • Peter Hall

    Peter Hall - 2006-11-08


  • Peter Hall

    Peter Hall - 2006-11-08


  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-06-25

    Logged In: YES
    Originator: NO

    I have updated the code, but I can't get it to actually verify any certs, so I wonder if something is either wrong with what I'm testing, or the code itself. Attached is an updated diff.

    Why was tlsInt.h modified? I didn't require those headers.

    Also, what is the point of the OpenSSL_add_all_algorithms() call?
    File Added: tls-verify.diff

  • Pat Thoyts

    Pat Thoyts - 2007-09-07

    Logged In: YES
    Originator: NO

    For some reason this only seems to validate if the certificates are in the current directory.
    (win) 203 % tls::verify -cafile ~/Certificates/CAcert/cacert_class1.crt -certfile ~/Certificates/CAcert/cacert_class3.crt
    (win) 204 % tls::verify -cafile ~/Certificates/CAcert/cacert_class1.crt -certfile ~/Certificates/patthoyts.crt
    (win) 205 % tls::verify -cafile cacert_class1.crt -certfile cacert_class3.crt
    (win) 206 % tls::verify -cafile cacert_class1.crt -certfile patthoyts.crt

    OpenSSL has the following to say about these certificates:

    C:\opt\tcl\src\tls\win>openssl verify -CAfile cacert_class1.crt cacert_class3.crt
    cacert_class3.crt: OK

    C:\opt\tcl\src\tls\win>openssl verify -CAfile cacert_class1.crt patthoyts.crt
    patthoyts.crt: /C=GB/ST=England/L=Bristol/O=Pat Thoyts/OU=Software Signing/CN=Pat Thoyts/emailAddress=patthoyts@users.sourceforge.net
    error 20 at 0 depth lookup:unable to get local issuer certificate

    and openssl itself as no trouble using a directory path

  • Victor Wagner

    Victor Wagner - 2008-10-17

    I think that it is better to use already existing Tcl_BIO api to read certificates. It would solve all problems with using certificates on VFS. But it would make verify command incompatible with import command - no guarantee that certificate which was successfully verified, can be used by ::tls::import, which uses internal OpenSSL function to open files.

    So, I suggest the best way to pass certificates around - is to load them into Tcl variables. Certificate in PEM format is relatively short (no more than couple of kilobytes) ASCII string, and should be treated as such.

    More interesting thing is private keys. Private keys can be stored on hardware token, and never be extractable from here. One just pass around reference to particular key on token, and delegate actual cryptographic operations to engine module, which knows how to do them on token.

    Btw, if we are to verify certificate before use, it is also good idea to check if we really have private key for this certificate.

    Also, there is no need to use separate verification callback for verify function.
    There is already pretty good VerifyCallback, function which is able to call tcl scripts.
    So, just use it.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks