Is there a way to get the OpenSSL X509 certificate name that im sending to peer in C++?

Question

I am getting remote certficate mismatch error for a few cases from a peer and I am unable to track the issues from server side.

After doing int ret = SSL_accept(ssl), is there a way that I can get the certificate name and its details from server (C++ binary) during SSL handshake and print that?

Is there any SSL API that I can use?

Thanks!

The s_client does this, if you wanted to poke around in the source code for it. Also, question is similar to: http://stackoverflow.com/questions/6509189/extract-pem-certificate-information-programmatically-using-openssl — Trickfire, Jul 03 '12 at 07:49
Thnx - But this is not what im looking for. Im looking for certificate name sent to client during SSL handshake. — H3llboy, Jul 03 '12 at 07:58
Oops, I did miss that one. So you want to dump the certificate that the server is giving to the client? In that case, I would think the easiest thing to do would to capture the transfer. I don't know of any other way to dump the contents of the current certificate via an API call. Hopefully someone else does. Good luck. — Trickfire, Jul 03 '12 at 08:13
hmm.. yes.. just the certificate name alone is needed for me at least... anyway thanks! — H3llboy, Jul 03 '12 at 08:16

Jon Ander Ortiz Durántez · Accepted Answer · 2022-03-30T22:05:04.837

4

You can use SSL_get_certificate with the SSL session structure (which is returned in the SSL_Accept) to retrieve the X509 structure that owns the certificate served to the client. Later you can extract with some X509 specific functions the CN of the certificate:

X509_NAME_oneline(X509_get_subject_name(certificate), buf, 256);

This would be a naive approach since one cert can handle different CN's, but, it could be enough for your problem.

edited Mar 30 '22 at 22:05

answered Jul 03 '12 at 09:03

Jon Ander Ortiz Durántez

2,542
1
20
29

1

how to get all the CN's from a certificate? – Prasanth Madhavan Aug 02 '12 at 11:39
3

X509_NAME_get_index_by_NID and NID_commonName, and then using X509_NAME_get_entry to get that entry until the first function returns -1 is the answer that I got from my research.. but I am not sure if that works. – Prasanth Madhavan Aug 02 '12 at 11:40
2

@PrasanthMadhavan Yes, it works and it's one of the correct ways as explained here: http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html – Jon Ander Ortiz Durántez Sep 06 '12 at 17:18

score 0 · Answer 2 · answered Jul 03 '12 at 08:18

I usually do this the 'stupid way' - capturing the

tcpdump -n -s 1500 -w - port 443 and host www.foobar.com | strings

tcpdump -n -s 1500 -w - port 443 and host www.foobar.com | hexdump -C

i.e. just sniffing on the wire. As during a normal (non upgrade, etc) ssl exchange this is exchanged in the clear. While ASN1 encoded - easy to simply 'see' the common name and other DN fields.

000305e0  06 03 55 04 0b 13 16 77  77 77 2e 71 75 6f 76 61  |..U....www.quova|
000305f0  64 69 73 67 6c 6f 62 61  6c 2e 63 6f 6d 31 20 30  |disglobal.com1 0|
00030600  1e 06 03 55 04 03 13 17  51 75 6f 56 61 64 69 73  |...U....QuoVadis|
00030610  20 47 6c 6f 62 61 6c 20  53 53 4c 20 49 43 41 30  | Global SSL ICA0|
00030620  1e 17 0d 31 31 30 38 30  35 31 30 31 38 30 36 5a  |...110805101806Z|
00030630  17 0d 31 32 30 38 30 35  31 30 31 38 30 36 5a 30  |..120805101806Z0|
00030670  1b 30 19 06 03 55 04 0a  13 12 41 42 4e 20 41 4d  |.0...U....ABN AM|
00030680  52 4f 20 42 61 6e 6b 20  4e 2e 56 2e 31 19 30 17  |RO Bank N.V.1.0.|
00030690  06 03 55 04 0b 13 10 49  6e 74 65 72 6e 65 74 20  |..U....Internet |
000306a0  42 61 6e 6b 69 6e 67 31  16 30 14 06 03 55 04 03  |Banking1.0...U..|

is the sort of stuff you see. The proper way to do this is to sit on the callback and analyse the cert stack.

Is there a way to get the OpenSSL X509 certificate name that im sending to peer in C++?

2 Answers2