SSL_CTX_set_default_verify_paths and Windows?

[Charles Mills]

Is there documentation for SSL_CTX_set_default_verify_paths()? It's declared
here http://www.openssl.org/docs/ssl/ssl.html but there's no description and
no link that I see.

I have an application working on Windows using explicit PEM certificate
files: SSL_CTX_load_verify_locations(SslCtx, "myCert.pem", NULL);

My interest is in the possibility of using the "built-in" certificate store
in Windows. Is that possible with OpenSSL? Is
SSL_CTX_set_default_verify_paths() relevant? Is there an overview document
somewhere?

Thanks much,
Charles


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Dave Thompson]

> From: owner-ope...@openssl.org On Behalf Of Charles Mills
> Sent: Friday, 31 August, 2012 12:00
> To: openss...@openssl.org
> Subject: SSL_CTX_set_default_verify_paths and Windows?

>
> Is there documentation for SSL_CTX_set_default_verify_paths()?
> It's declared here http://www.openssl.org/docs/ssl/ssl.html
> but there's no description and no link that I see.

UTSL (although in this case you must go through several layers).
_set_default_verify is effectively _load_verify_locations
using env vars SSL_CERT_FILE SSL_CERT_DIR if they exist
and otherwise X509_get_default_cert_{file,dir}() which return
a compiled-in file and directory normally file "cert.pem" and
subdir "certs" under OPENSSLDIR, which is configurable at build
time and can be seen with commandline openssl version -d .
If you're using the ShiningLight builds (as I am) they seem
to make OPENSSLDIR /usr/local/ssl, a directory that doesn't
normally exist on Windows systems (it does on many Unixes).

It is still a file and/or directory in OpenSSL format, not MS.

>
> I have an application working on Windows using explicit PEM
> certificate
> files: SSL_CTX_load_verify_locations(SslCtx, "myCert.pem", NULL);
>
> My interest is in the possibility of using the "built-in"
> certificate store
> in Windows. Is that possible with OpenSSL? Is
> SSL_CTX_set_default_verify_paths() relevant? Is there an
> overview document
> somewhere?

1. OpenSSL X509_STORE logic (like several others) is extensible,
i.e. you write code implementing the same interface and plug it
in. I'm sure it's possible to write a store that fetches from MS
instead of from a file or directory like the builtin ones do.
But this looks like a pretty big job. Someone else may already
have done this, but if so I haven't heard or seen of it.

2. OpenSSL has an "ENGINE" feature that was originally created
to handle hardware devices mostly doing low-level crypto operations
(a digest, a symmetric encrypt or decrypt, a publickey encrypt or
decrypt, etc.) It has gradually been adding more functions, rather
like a scifi movie monster feeding on nuclear bomb radiation.
There is definitely an engine for MS CAPI, and I thought I had
heard mention that the engine interface was adding at least some
truststore function. But looking in 1.0.1c I don't see any trace
of such, so maybe I misunderstood or maybe it isn't cooked yet.

Or of course you could just read the certs from MS truststore
and put them in a file or dir in OpenSSL format. The only downside
of that I see is that you won't honor new inserts (or possibly
deletes) unless and until you repeat the process.

[Charles Mills]

Dave, thanks much.

OK, SSL_CTX_set_default_verify_paths() won't do anything for me.

> There is definitely an engine for MS CAPI

I ran into some references to capi and e_capi researching this question on
the Google but I could not find any big picture.

> Or of course you could just read the certs from MS truststore and put them
in a file or dir in OpenSSL format

That sounds like the way I will go if the customers want this. I'm not
enough of an expert to undertake the extension. I think I might be able to
do it as a pipe and not have to actually write the files to disk. Maybe.

You know what would be a cool feature for OpenSSL (yeah, LOL, I'm sure you
know a thousand)? If there were an API whereby one could set a callback
routine that would get a particular type of data (certificate, key, CA cert,
CRL, etc.) when OpenSSL needed it. Then it would be pretty trivial to read
the data from some privately known store such as the Windows truststore.

Thanks again. Amazing package. Enjoying working with it for the first time.

Charles

[Dr. Stephen Henson]

On Fri, Aug 31, 2012, Dave Thompson wrote:
> like a scifi movie monster feeding on nuclear bomb radiation.
> There is definitely an engine for MS CAPI, and I thought I had
> heard mention that the engine interface was adding at least some
> truststore function. But looking in 1.0.1c I don't see any trace
> of such, so maybe I misunderstood or maybe it isn't cooked yet.
>

No it isn't there at present. Some research is needed on how to retrieve the
trust setting for CAPI stores first (so email CAs don't get trusted for
servers).

It is possible to dump the contents of a cert store using some of the ctrl
options though, but that only dumps them to standard output.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

[Farah NAaz]

Watch Online Tere Ishq Mein Ghayal 3rd June 2023 latest Desi Serial Drama Today Full Episode 65 at Colors Tv Online, Voot,Tere Ishq Mein Ghayal 3rd June 2023 Full Episode dailymotion video download.
https://tereishqmeinghayaltv.com

[muhammad saad]

Hi I found here very Good Information thanks so much for sharing
<a href="https://bekabooserial.com">Bekaboo</a>

[muhammad saad]

Hi I found here very Good Information thanks so much for sharing

<a href="https://sapnokichhalang.com">Sapno Ki Chhalaang</a>

[muhammad saad]

[muhammad saad]

Hi I found here very Good Information thanks so much for sharing

<a href="https://wohtohhayalbela.com">woh toh hay albela</a>

[Fast Seller6]

On Tuesday, June 6, 2023 at 6:56:25 AM UTC-7, muhammad saad wrote:
> Hi I found here very Good Information thanks so much for sharing
> <a href="https://wohtohhayalbela.com">woh toh hay albela</a>

Hum Rahe Na Rahe Hum Is Indain Tv Drama By Sony tv Hum Rahe Na Rahe Hum is Hindi Serial Tv
<a href="https://humrahenarahe.com/">Hum Rahe Na Rahe Hum</a>

[Fast Seller6]

Suhagan Is Indain Tv Drama By Colors tv Suhagan is Hindi Serial Tv
<a href="https://suhaganserial.com/">Suhagan</a>

[Robert Rodriguez]

If you’re looking for a reliable company that can handle your garage door spring replacement in Poquoson, VA, we’re here to help! Give us a call today!
https://garagedoorrepairwilliamsburg.com/garage-door-replacement/

[wat wat]

These experts may recommend a variety of strategies and solutions, including developing or upgrading digital platforms, implementing automation tools, utilising data-driven insights for informed decision-making, adopting emerging technologies for a competitive advantage, optimising online presence and customer experience, and ensuring robust cybersecurity measures to protect digital assets.
https://techzone-agency.com/

[wat wat]

You may choose from a huge selection of entertainment shows, TV series, and dramas on sdarot TV, depending on what you want to watch. Only a few episodes were available to watch because the website wasn't developed for another ten years, but it sometimes expanded. With more than one billion views globally, it is the most popular streaming service in Israel. https://isratvinfo.com/sdarot-tv-latest-official-links

[Ali]

Absolutely, this phone does support VOLTE technology for crystal-clear voice calls over LTE. To activate it, navigate to your phone's settings and locate "Mobile Network" or "Cellular Network." For video calls over LTE, you can use apps like WhatsApp or FaceTime, provided you have a strong LTE signal. Enjoy the tech-savvy communication experience!
source: https://techzone-agency.com/