Changing Certificate Verification Flags in openssl

By | April 21, 2021

Recently I was needed to modify some flags for verification of X.509 public key certificates. These flags defined in x509_vfy.h include files. Particularly it was necessary to set X509_V_FLAG_X509_STRICT flag, which enables additional security checks and turns off workarounds for broken certificate chain. In other words this flag makes the certificate verification more strictly.
This is a c++ code example which set and get X.509 verification flags settings. Tested on Ubuntu 18 LTS and CentOS 8.


#include <stdio.h>
#include <openssl/ssl.h>
int main(int n, char ** s)
{
   SSL_library_init();
   SSL_load_error_strings();
   SSL_CTX * ctx = SSL_CTX_new(TLS_client_method());
   X509_STORE * store = SSL_CTX_get_cert_store(ctx);
   X509_VERIFY_PARAM * param = X509_STORE_get0_param(store);
   unsigned long long flags = X509_VERIFY_PARAM_get_flags(param);
   printf("Default flags value: 0x%llx\n", flags);
   // set new flags
   X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_X509_STRICT);
   flags = X509_VERIFY_PARAM_get_flags(param);
   printf("New flags value: 0x%llx\n", flags);
   // Check every flag separately
   if(flags & X509_V_FLAG_CRL_CHECK)
      printf("X509_V_FLAG_CRL_CHECK flag is set\n");
   if(flags & X509_V_FLAG_X509_STRICT)
      printf("X509_V_FLAG_X509_STRICT flag is set\n");
   return 0;
}

Complication:


# g++ -o x509flags x509flags.cpp -L/usr/lib/x86_64-linux-gnu/ -lssl -lcrypto

Result:


# ./x509flags
Default flags value: 0x0
New flags value: 0x24
X509_V_FLAG_CRL_CHECK flag is set
X509_V_FLAG_X509_STRICT flag is set

Leave a Reply

Your email address will not be published. Required fields are marked *