FQDN verification in certificates

2007-06-21 Thread Soji VP 
Hi all,

 

I'm using openssl with my application; I'd like to add the 5th optional
step (to avoid man-in-the-middle-attack) in my tls negotiation by
ensuring the FQDN presents in the certificate with the actual fqdn of
the sender.

 

1) Please suggest me a way to extract subject name in FQDN from
certificate; and do we need to extract fqdn from extension list also?

2) What is the best way to get the fqdn of the peer? Is reverse fqdn
lookup a recommend method? 

3) Is there any precaution I should take care while implementing this
step?

 

Any suggestion is highly appreciated.

 

-soji

RE: SSL_write and SSL_read

2007-04-12 Thread Soji VP 

Hi David,

Thanks for your sound replay :)
I'll take care of this caveat in action...

I understand that the same scenario would be applicable in the case of multiple 
threads handling the same fd even though we managed to get it synchronized 
using some mutex.

Please correct me if I'm wrong :)

Thanks 
soji.

-Original Message-
From: [EMAIL PROTECTED] on behalf of David Schwartz
Sent: Thu 4/12/2007 8:35 AM
To: [EMAIL PROTECTED]
Subject: RE: SSL_write and SSL_read
 

Apologies if this was already responded to:

> Or if I put it in another way, if SSL_read() returns,
> SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE (from SSL_get_error())
> on the socket "fd" then, can I send data on the same socket using
> SSL_write() ? (Provided, both read and write operations on the
> "fd" are handled by same thread always.)

Yes. There is really only one caveat:

Suppose SSL_write returns 'SSL_ERROR_WANT_READ' and you subsequently call
SSL_read. No matter what happens in that SSL_read call, you must not then
block in select before retrying the SSL_write.

In other words, you can't allow this to happen:

1) SSL_write blocks because negotiation data needs to be read. You get a
WANT_READ.

2) The protocol data arrives on the socket just as you call SSL_read. It
fails because there is no application data but does read the protocol data,
you get a WANT_READ.

3) You call 'select' looking for data to be available for reading and don't
call 'SSL_write' until you get that data, but you never will because the
SSL_read got the data SSL_write was waiting for even though it returned
WANT_READ.

So you must be very careful of deadlock. If SSL_read returns WANT_READ, that
does *not* mean that it made no forward progress!

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



<>

SSL_write and SSL_read

2007-04-10 Thread Soji VP 
Hi Friends,

 

I've an application which supports TLS communication in which, socket
descriptors are handled in threads. 

 

Let's take an arbitrary socket descriptor "fd" and here we go,

 

Can I send data through "fd" using SSL_write() if I'm in the middle of
reading the data from the same fd? 

 

Or if I put it in another way, if SSL_read() returns,
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE (from SSL_get_error()) on
the socket "fd" then, can I send data on the same socket using
SSL_write() ? (Provided, both read and write operations on the "fd" are
handled by same thread always.)

 

 

Any suggestions would be greatly appreciated :-)

 

Thanks in Advance,

Soji.