Recently I was needed to modify some flags for verification of X.509 public key certificates. These flags defined in x509_vfy.h include files. Particularly it was necessary to set X509_V_FLAG_X509_STRICT flag, which enables additional security checks and turns off workarounds for broken certificate chain. In other words this flag makes the certificate verification more strictly.
This is a c++ code example which set and get X.509 verification flags settings. Tested on Ubuntu 18 LTS and CentOS 8.
#include <stdio.h> #include <openssl/ssl.h> int main(int n, char ** s) { SSL_library_init(); SSL_load_error_strings(); SSL_CTX * ctx = SSL_CTX_new(TLS_client_method()); X509_STORE * store = SSL_CTX_get_cert_store(ctx); X509_VERIFY_PARAM * param = X509_STORE_get0_param(store); unsigned long long flags = X509_VERIFY_PARAM_get_flags(param); printf("Default flags value: 0x%llx\n", flags); // set new flags X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_X509_STRICT); flags = X509_VERIFY_PARAM_get_flags(param); printf("New flags value: 0x%llx\n", flags); // Check every flag separately if(flags & X509_V_FLAG_CRL_CHECK) printf("X509_V_FLAG_CRL_CHECK flag is set\n"); if(flags & X509_V_FLAG_X509_STRICT) printf("X509_V_FLAG_X509_STRICT flag is set\n"); return 0; } |
Complication:
# g++ -o x509flags x509flags.cpp -L/usr/lib/x86_64-linux-gnu/ -lssl -lcrypto |
Result:
# ./x509flags Default flags value: 0x0 New flags value: 0x24 X509_V_FLAG_CRL_CHECK flag is set X509_V_FLAG_X509_STRICT flag is set |