I have recently written a product that incorporates SSL/TLS server code that processes client certificates. I designed what I thought made sense at the time but now I am wondering if what I did was best.
In the product's configuration file the sysadmin may optionally include a whitelist of client names. If the sysadmin does so, then the server requests a client certificate. At least one of the names (subject O= and Alternative names, including wildcards) in the certificate must match one of the names in the whitelist or I reject the session. Something I saw recently got me to wondering whether I should have made some sort of provision for checking IP addresses: perhaps verifying that the client IP address appeared in the Alternative names in the client certificate as well as in the whitelist? Or perhaps that the IP address matched an alternative name and the subject name appeared in the whitelist? Comments? Charles ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org