Hello,
Posting this from the newsgroup, hope it works...
I've been trying to access the server keys from an SSL connection using
Crypt::SSLeay and LWP. I really need to use LWP as the rest of the program
is sort of built around it.
Here is what I want to do:
Fetch/Post files to a remote SSL web server and be absolutely certain
I'm speaking with the correct person.
To verify the remote cert has been signed with one of my CA's, I'm doing
this:
my $wrn = $res->header('client-ssl-warning'); # Is this a guarantee message
die "SSL:[WARN]: $wrn" if($wrn) # if they weren't signed?
Second, I'd like to have a list of known peers and verify that their key
is actually one of the people I trust:
In Lilly Tomlin parlance, "Do I have the party to whom I am speaking?
Should I just do this:
$dn = $res->header('client-ssl-cert-subject');
And compare $dn to a list of known DN's? Is this secure?
Here is what $dn looks like:
/C=US/ST=StateName/L=CityName/O=Development
Server/OU=Development/CN=proto.example.com
Will the /C=/ST=/ stuff always be in the above format, in the exact same order
so
I can just compare them against a list?
Seems like there is a better way, is there?
Would just extracting the CN portion and comparing it with the remote hostname
work?
The reason I'm paranoid about this is, I'll be fetching data and commands from
a remote host that will be executed on the local machine. I will be signing
other
keys with the same CA, and.. I want to make sure one of those keys isn't some
how
used to attack the machine.
Thanks!
Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions
