> A certificate binds the public key of a public/private (asymmetric) > key pair with additional information. > A certificate is trusted by some trusting authority. In most cases, > this is a certifying authority (CA) -- and the asymmetric signature > by the CA is an assertion that the CA believes that the binding is > correct. > > The additional information can relate to the user, or the user > +machine, or machine itself, or literally any other combination. For > purposes of your question, though, it relates to these three options. > > The certificate is never, ever used in isolation. It is used in > conjunction with the private key, at a minimum, but it may also be > used with protocol data. (i.e., machine address.) > > I am unable to provide you with sample code for this purpose. > However, I must warn that there exist software proxies which are > capable of masking the true originating host. (If you wish to be > certain that a connection is from a host in your IP range, for > example, you must ensure that a proxy software is not in place on > that host.) You can perform such a check by getting the peer's > address on the connection in question... and then verifying that the > host is valid. (You can do this from information stored in the > certificate, or from information stored in a database that only the > verifier has access to.) > > You may also verify a given computer based on its IP, versus > information stored in the certificate and signed by your CA. Again, > the 'proxy' problem asserts itself, but such an attack might be more > sophisticated. > > Regardless, there exist no 100% guarantees. You must weigh the value > of any given attack versus the cost of that attack, and set your > policies appropriately.) > > I hope this information helps. > > -Kyle H
Thank you for your response and information about the proxies. I now have a feeling that to write a verification callback function, I will need to retrieve the information stored in the certificate that the peer has sent to me. So now, the follow-up questions are: 1) If my server has not received any certificate so far, how can it request for it? 2) Once the certificate is available to my program, how can I retrieve the information in the certificate? I believe , given that the certificate is in a particular format (x509 ?), the information can be retrieved as a C structure (or something alike), which then can be used to test each individual piece of information. Could you point me to APIs that will allow me to achieve this? Thanks, ~ Urjit DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
