On 4/17/2012 7:00 PM, Nou Dadoun wrote:
Quick question regarding certificate usage in an ssl connection; you can associate a number of certificates with a server endpoint - is there any way of deciding at runtime which certificate is presented to the client (depending on the identity of the client say).
Unfortunately not (almost, read on).
This has been a major problem for the top use of SSL/TLS: https web servers. Currently the two most common workarounds are either: A. Assign a separate IP address or port to each certificate (costly given the worldwide shortage of IPv4 addresses and the "default firewall configuration" induced shortage of usable TCP ports). B. Generate a certificate which covers all the desired identities, either via wildcards or SubjectAlternativeNames. However recent TLS versions have introduced a new mechanism where the client can tell the server which name it wants a certificate for. This is still not widely available in web browsers and other stock clients, but that should improve over time.
And would the same mechanism be usable for the certificate the client presents in the case of mutual authentication?
For client certificates, there is a standard mechanism, going back at least to SSL 3, maybe even to SSL 2: The server tells the client if it wants mutual authentication and identifies the acceptable certificates by a list of CAs. Clients routinely use this to select the appropriate certificate.
(Pointers to documentation if any would be sufficient!) Thanks .... N
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
