Hello,
> I would like to have your opinion on one scenario, and my approach to
> provide needed functionality:
> 1) I have a server that listens to connection requests from the clients over
> the internet (meaning anyone and everyone who knows my ip/port can send me
> connection request. I am not behind a proxy).
> 2) I trust a CA (my_ca). So I have this CA's root certificate, which I can
> use to verify client certificates.
> 3) I wish to service client requests coming only from a particular group. So
> I need client authentication.
>
> Now, if I do not specify any certificate verification callback in the
> server, any and every client who has a certificate signed by 'my_ca' will be
> able to connect to me, because by default (I believe) openssl will only
> verify that the client certificate is authentic (signed by trusted CA). Is
> this understanding right?
Yes.
> Assuming that this is true, I will 'have to' specify a callback that will
> actually validate the certificate presented by the client, by looking at
> information other than the public key present in the certificate, right? How
> do I retrieve this information from the certificate? Could someone point me
> to APIs which retrieve this information from the certificate?
You can do this in SSL callback or after SSL netgotiation.
After SSL_accept() returns, you are sure that SSL client authentication
end successful (provided that you configured SSL server to request
that :-) and that certificate is verified (valid time, signature ...).
After that you can in your application get client certificate from SSL
object:
cert = SSL_get_peer_certificate(ssl);
and next get some info from cert:
name = X509_get_subject_name(cert);
name = X509_get_issuer_name(cert);
serial = ASN1_INTEGER_get(X509_get_serialNumber(cert));
some info may be converted to text and printed:
X509_NAME_oneline(name, buf, sizeof(buf));
X509_NAME_oneline(name, buf, sizeof(buf));
with this info you may decide to accept certificate or not to accept ...
If you decided to not accept: shutdown SSL connection.
> considering that retrieving and validating certificate information is
> possible, can I (rather the trusted CA my_ca) issue ONE unique certificate
> to a bunch of people(this means giving the same private-public key to all
> these people), such that they represent a group that my server is interested
> in entertaining? This question arises as I need to clarify if it is possible
> to issue ONE certificate to multiple individuals, or is it necessary to
> issue ONE certificate to EACH individual.
Of course you can issue one certificate and give it to some people
for authentication purpose. Technically this will work.
But with certificate you must give private key too (in reality this
key is used to client authentication is SSL).
If in one place this private key will be compromised than you have to
generate new key/certificate and give it to ALL users.
If in one place this private key will be compromised than you have to
disable this certificate on server and this will disable your ALL
clients.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
