0

Im developing an application and i want this application to connect to my server via ssl (using openssl currently). I want this application to verify my servers certificate. The problem is i dont really know how to do that.

Do i store the full certificate chain in the applications binary and then verify the servers cert based on that? But then how do i handle a certificate change (im not sure how often root ca's and intermediates are going to change)? Or do i only store the Root CA and then step the certificate chain up automatically, downloading the intermediate certificates until i hit the root?

What is the best practice to do this?

StillWaters77
  • 1
  • Applications usually do what browsers do and this functionality is also usually already provided and ideally enabled by default by the SSL libraries used for development. Note that some lower level SSL libraries or functions might not have this functionality integrated or enabled by default - but these should not be used unless one really knows what one is doing. – Steffen Ullrich Jan 26 '21 at 16:38
  • Ah yes i see, thanks for your response. But your comment and also the linked article are not answering my question. Atleast in openssl i have to provide the certificate chain to verify the servers certificate. I cant use the local certificate store that may or may not be already present on the system (nor the browsers store). So atleast i would need the root ca in the application itself. But is it good practice putting the whole certifcation chain into the binary or not? – StillWaters77 Jan 26 '21 at 17:02
  • *"... Atleast in openssl ..."* - OpenSSL also has a default location for a trust store which in Linux and other systems is also properly filled with the publicly trusted certificates. But OpenSSL fits the description of a lower level SSL library. It is not really recommended that you start with this if you don't fully understand the concepts. Higher level libraries in Go, Java, Python, ... come with more sane defaults and configuration. But even in OpenSSL it is not necessary to verify the chain by hand. Note that [security.se] is more about security concepts and not about programming details. – Steffen Ullrich Jan 26 '21 at 18:47
  • Thanks for redirecting me, im now going to just cert pin it. Thank you very much for your help – StillWaters77 Jan 26 '21 at 20:45

0 Answers0