I have a C Program using OpenSSL library to establish connection to httpbin.org using SSL/TLS. The client program is able to establish connection with the server.
Now, I want to connect to my own server whose certificate is signed by our own private or internal CA. At client side, I want to force OpenSSL to use our own CA for certificate verification. So, my question is:
How do I load my own CA certificate using the library and force it to use only that CA for verification of the server certificate?
答案 0 :(得分:1)
Specifying which CA should be used for validation can be done in several ways, depending on how you have the CA (i.e. list of X509 sructures, single file, directory with certificates...). Since the last point is not detailed in the question I restrict the answer to the simplest case: a single CA or a list of CA's in PEM format inside a single file. Setting this file as the only CA store for validation can be done with SSL_CTX_verify_location like this:
SSL_CTX_load_verify_locations(ctx, "ca.pem", NULL);
For further information (like error handling) see the documention and examples on how to use it.