1

I am getting remote certficate mismatch error for a few cases from a peer and I am unable to track the issues from server side.

After doing int ret = SSL_accept(ssl), is there a way that I can get the certificate name and its details from server (C++ binary) during SSL handshake and print that?

Is there any SSL API that I can use?

Thanks!

john_science
  • 6,325
  • 6
  • 43
  • 60
H3llboy
  • 25
  • 1
  • 5
  • The s_client does this, if you wanted to poke around in the source code for it. Also, question is similar to: http://stackoverflow.com/questions/6509189/extract-pem-certificate-information-programmatically-using-openssl – Trickfire Jul 03 '12 at 07:49
  • Thnx - But this is not what im looking for. Im looking for certificate name sent to client during SSL handshake. – H3llboy Jul 03 '12 at 07:58
  • Oops, I did miss that one. So you want to dump the certificate that the server is giving to the client? In that case, I would think the easiest thing to do would to capture the transfer. I don't know of any other way to dump the contents of the current certificate via an API call. Hopefully someone else does. Good luck. – Trickfire Jul 03 '12 at 08:13
  • hmm.. yes.. just the certificate name alone is needed for me at least... anyway thanks! – H3llboy Jul 03 '12 at 08:16

2 Answers2

4

You can use SSL_get_certificate with the SSL session structure (which is returned in the SSL_Accept) to retrieve the X509 structure that owns the certificate served to the client. Later you can extract with some X509 specific functions the CN of the certificate:

X509_NAME_oneline(X509_get_subject_name(certificate), buf, 256);

This would be a naive approach since one cert can handle different CN's, but, it could be enough for your problem.

0

I usually do this the 'stupid way' - capturing the

tcpdump -n -s 1500 -w - port 443 and host www.foobar.com | strings

tcpdump -n -s 1500 -w - port 443 and host www.foobar.com | hexdump -C

i.e. just sniffing on the wire. As during a normal (non upgrade, etc) ssl exchange this is exchanged in the clear. While ASN1 encoded - easy to simply 'see' the common name and other DN fields.

000305e0  06 03 55 04 0b 13 16 77  77 77 2e 71 75 6f 76 61  |..U....www.quova|
000305f0  64 69 73 67 6c 6f 62 61  6c 2e 63 6f 6d 31 20 30  |disglobal.com1 0|
00030600  1e 06 03 55 04 03 13 17  51 75 6f 56 61 64 69 73  |...U....QuoVadis|
00030610  20 47 6c 6f 62 61 6c 20  53 53 4c 20 49 43 41 30  | Global SSL ICA0|
00030620  1e 17 0d 31 31 30 38 30  35 31 30 31 38 30 36 5a  |...110805101806Z|
00030630  17 0d 31 32 30 38 30 35  31 30 31 38 30 36 5a 30  |..120805101806Z0|
00030670  1b 30 19 06 03 55 04 0a  13 12 41 42 4e 20 41 4d  |.0...U....ABN AM|
00030680  52 4f 20 42 61 6e 6b 20  4e 2e 56 2e 31 19 30 17  |RO Bank N.V.1.0.|
00030690  06 03 55 04 0b 13 10 49  6e 74 65 72 6e 65 74 20  |..U....Internet |
000306a0  42 61 6e 6b 69 6e 67 31  16 30 14 06 03 55 04 03  |Banking1.0...U..|

is the sort of stuff you see. The proper way to do this is to sit on the callback and analyse the cert stack.

Dirk-Willem van Gulik
  • 7,566
  • 2
  • 35
  • 40