At 13:09 05.01.00 +0100, you wrote:
>Hi,
Hallo,
>I'm using openssl 0.9.4 on Sparc Solaris 2.6/2.7 for a webserver like
>process which must recognize customers from a simple username/password
>scheme or from a client certificate.
>The customer 'subscription' is stored in a database where the username
>is the unique identifier.
>1) When using a client certificate I guess the unique username must be
>stored in the certificate right ? Is the field Common Name (CN) used for
>this purpose ? Am I guaranteed that this field is unique or is this up
>to the CA issuing the certificate?
No, that is just the name of the user.
Needn't to be unique.
If the CN had to be unique it wouldn't be possible for a CA to
publish more than one certificate for a name (eg. only one Jon Smith...)
You should create a second table in you database containing a link
from a certificate to a local user account.
A good unique identifier would be the digest of the certificate...
>2) My server uses the call SSL_CTX_load_verify_locations(ssl_ctx,
>CAfile, CApath) to load the CAs.
>Is it correct that this function loads the CAs that my client
>certificates can be signed by, meaning that these are the CAs I trust?
>If the CA which signed the client certificate is not in this list, the
>client will be rejected, right ?
Only if you set the flag SSL_VERIFY_FAIL_IF_NO_PEER_CERT for the ssl.
(SSL_set_verify())
By
Goetz
--
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
