On Jan 30, 11:54 am, Nelson B Bolyard <nel...@bolyard.me> wrote: > B is going to log about the connection from C before it happens? > uh ...
Yes; A is in fact a server for a centralized peer-to-peer network and B and C are peers. It would be useful if the logs of a given peer contained the common names of other peers as reported by the server, regardless if direct TCP connection with the peer has been established or not (the peers talk via the server in order to establish a direct connection). > Is the connection between A and B secure? If not, then an attacker > can defeat your design by MITMing that connection. Yes, it's SSL. But still, when the actual connection happens, the certificate is still checked for validity against some CA (I explicitly call CERT_VerifyCertNow in the SSL_AuthCertificateHook callback). > CERTCertificate should have been opaque with accessor functions, but alas. > Just reach in and grab cert->derCert. Yes, that seems to be the right way for B to make sure it's talking to right peer. > Depends on what you're trying to accomplish, what question you're trying > to answer. If the question is merely "are these two certs identical" > then comparing both from stem to stern is a very good way. If you're > trying to ask "do these two certs identify the same subject", then you > may need to do much more work. > Just byte-comparing seems right; I see no reason why system C would want to use different certificates for connecing to A and C. Thank you for your response. I think my problem is solved now. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
