I am writing an OpenSSL SSL enabled client application which connects to a Googl

Question

I am writing an OpenSSL SSL enabled client application which connects to a Google server. I have the SSL working and I can monitor the traffic and see that it is definitely encrypted. I am using OpenSSL API function SSL_CTX_load_verify_locations to load a .pem file containing public root certificates to verify that the server is a trusted server...I think!?

I've done LOADS of searching but I can't find a simple description of what I'm meant to do to make sure I am talking to a Google server. Is using a .pem file with root CA's the correct thing to do? How do I know I'm talking to Google and not someone else on the trusted list?

Also, am I meant to distribute the .pem file along with the application, or can it be compiled into my application?

Any help greatly appreciated.

Explanation / Answer

First, you have ask yourself if you trust all the 100s of CAs which are trusted by the browser, which each can sign a certificate for google and each can create sub-CAs which again have same possibilities etc. If you believe that this process is save look at the incidents with Comodo and DigiNotar in 2011.

If you want to be better you do certificate pinning, e.g. either save a fingerprint of the certificate itself or its public key and make sure this is what you get when you connect to the server.

And of course you should do the right certificate verification, e.g.:

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.