Kyle Hamilton <[EMAIL PROTECTED]> wrote:
A client certificate does not identify an IP or domain name, a client
certificate identifies a user.
A server certificate identifies an IP or domain name (usually domain name).
And to follow up to your other question (how to make it a warning
instead of an error): If you're programming, you set a callback for
cert_verify (or whatever it's called, I'm too tired to look it up
right now). Then, you can look at the verify return code -- if it's
UNKNOWN_CA, then you can present a dialog to the user. This happens
before any actual application data is transmitted on the wire.
-Kyle H
On 3/30/06, michael Dorrian <[EMAIL PROTECTED]>wrote:
>
> This is the scenario. I have a root CA which i use to sign both the client
> certificate and server certificate. When you are checking the client
> certificate all you are checking is if the ip address matches the ip address
> in the certificate but the certificate and ip address could be anyones?.
> Therefore all i need if i want to connect to the server is the same root CA
> as the server and then make my own client certificate and then connect to
> the server. In this case the root CA is all i need to have to make my client
> CA. Therefore, why is this check needed at all?.
>
>
> ________________________________
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
> starting at 1ยข/min.
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
