On Wed, 26 Sep 2001 09:43:02 -0700, Michael Sierchio wrote: >Don Zick wrote:
>> I have recently started using OpenSSL. (I have found the "SSL and TLS" >>book by Eric Rescorla to be invaluable.) I am having a problem with >>client authentication. After a successful SSL_accept() I have some logic >>that verifies that the Common Name in the client certificate matches the >>client's DNS name. This works just fine. However, if the Common Name >>does not contain the client's DNS name, I would like to check for the >>client's DNS name in the subjectAltName extension. This is where I'm >>having a problem. I attempt to check the subjectAltName extension as >>follows: >Why bother binding client certs to a DNS name? In a mutually authenticated >SSL connection, IP addresses may not be important. That each party is in >possession of the private key and the certs are not revoked should be >sufficient. Sufficient for what? I may not want to send my credit card information to anyone who has a Verisign certificate, but I might be willing to send it to someone who has a Verisign certificate for 'www.amazon.com' or has that listed as one of the alternate names. Comparing the name to name you get when you resolve the IP you connected to doesn't seem useful to me. But comparing the name (or alternate name) to the name you expected to connect to makes very good sense. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]