Trying to achieve client authentication. Should I have said "certificate signed by a CA known to the server"?
Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ben Laurie Sent: Saturday, October 06, 2012 10:38 AM To: openssl-users@openssl.org Subject: Re: Best practice for client cert name checking On Sat, Oct 6, 2012 at 2:52 PM, Charles Mills <charl...@mcn.org> wrote: > I have recently written a product that incorporates SSL/TLS server > code that processes client certificates. I designed what I thought > made sense at the time but now I am wondering if what I did was best. > > In the product's configuration file the sysadmin may optionally > include a whitelist of client names. If the sysadmin does so, then the > server requests a client certificate. At least one of the names > (subject O= and Alternative names, including wildcards) in the > certificate must match one of the names in the whitelist or I reject the session. > > Something I saw recently got me to wondering whether I should have > made some sort of provision for checking IP addresses: perhaps > verifying that the client IP address appeared in the Alternative names > in the client certificate as well as in the whitelist? Or perhaps that > the IP address matched an alternative name and the subject name appeared in the whitelist? > > Comments? You don't say what you're trying to achieve! But whatever it is, none of the above makes a lot of sense - anyone can make a cert with whatever subject and alternate names they want... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
