On Wed, 26 Sep 2001 09:43:02 -0700, Michael Sierchio wrote:
>Don Zick wrote:
>> I have recently started using OpenSSL. (I have found the "SSL and TLS"
>>book by Eric Rescorla to be invaluable.) I am having a problem with
>>client authentication. After a successful SSL_accept() I have some logic
>>that verifies that the Common Name in the client certificate matches the
>>client's DNS name. This works just fine. However, if the Common Name
>>does not contain the client's DNS name, I would like to check for the
>>client's DNS name in the subjectAltName extension. This is where I'm
>>having a problem. I attempt to check the subjectAltName extension as
>>follows:
>Why bother binding client certs to a DNS name? In a mutually authenticated
>SSL connection, IP addresses may not be important. That each party is in
>possession of the private key and the certs are not revoked should be
>sufficient.
Sufficient for what? I may not want to send my credit card information to
anyone who has a Verisign certificate, but I might be willing to send it to
someone who has a Verisign certificate for 'www.amazon.com' or has that
listed as one of the alternate names.
Comparing the name to name you get when you resolve the IP you connected to
doesn't seem useful to me. But comparing the name (or alternate name) to the
name you expected to connect to makes very good sense.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
