Re: subjectAltName extension of type dNSName
Thank you very much! -DavidVictor Duchovni <[EMAIL PROTECTED]> wrote: On Fri, Jun 09, 2006 at 12:25:52AM +0200, Goetz Babin-Ebell wrote:> -BEGIN PGP SIGNED MESSAGE-> Hash: SHA1> > david kine schrieb:> Hello David,> > > One more question: how do I, using the CA.pl script, generate a> > certificate with a subjectAltName extension of type dNSName? The ones I> > have already generated do not have this field set.> > > I suppose there is an openssl.cnf file setting for this purpose? I> > notice the line "#subjectAltName=email:copy" in the system's openssl.cnf> > subjectAltName=DNS:your.domain.orgFor multiple values:subjectAltName = @alt_names[ alt_names ]DNS.1 = host1.example.comDNS.2 = host2.example.comDNS.3 = host3.example.comDNS.4 = host4.example.comDNS.5 = host5.example.comDNS.6 = host6.example.comDNS.7 = host7.example.comDNS.8 = host8.example.comDNS.9 = host9.example.comDNS.10 = host10.example.comDNS.11 = host11.example.comDNS.12 = host12.example.comDNS.13 = host13.example.comDNS.14 = host14.example.comDNS.15 = host15.example.comDNS.16 = host16.example.comDNS.17 = host17.example.comDNS.18 = host18.example.comDNS.19 = host19.example.com-- Viktor.__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: subjectAltName extension of type dNSName
On Fri, Jun 09, 2006 at 12:25:52AM +0200, Goetz Babin-Ebell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > david kine schrieb: > Hello David, > > > One more question: how do I, using the CA.pl script, generate a > > certificate with a subjectAltName extension of type dNSName? The ones I > > have already generated do not have this field set. > > > I suppose there is an openssl.cnf file setting for this purpose? I > > notice the line "#subjectAltName=email:copy" in the system's openssl.cnf > > subjectAltName=DNS:your.domain.org For multiple values: subjectAltName = @alt_names [ alt_names ] DNS.1 = host1.example.com DNS.2 = host2.example.com DNS.3 = host3.example.com DNS.4 = host4.example.com DNS.5 = host5.example.com DNS.6 = host6.example.com DNS.7 = host7.example.com DNS.8 = host8.example.com DNS.9 = host9.example.com DNS.10 = host10.example.com DNS.11 = host11.example.com DNS.12 = host12.example.com DNS.13 = host13.example.com DNS.14 = host14.example.com DNS.15 = host15.example.com DNS.16 = host16.example.com DNS.17 = host17.example.com DNS.18 = host18.example.com DNS.19 = host19.example.com -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: subjectAltName extension of type dNSName
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 david kine schrieb: Hello David, > One more question: how do I, using the CA.pl script, generate a > certificate with a subjectAltName extension of type dNSName? The ones I > have already generated do not have this field set. > I suppose there is an openssl.cnf file setting for this purpose? I > notice the line "#subjectAltName=email:copy" in the system's openssl.cnf subjectAltName=DNS:your.domain.org Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiKPv2iGqZUF3qPYRAum+AJ9TRnaoHrpM5KBxYpnTAQzA6u4FwgCeNl6c 3HqW6isS6WJy9S98ORT/Q5E= =CAzJ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: subjectAltName extension of type dNSName
Hello Victor, Thank you very much, the code you provide is extremely useful! One more question: how do I, using the CA.pl script, generate a certificate with a subjectAltName extension of type dNSName? The ones I have already generated do not have this field set. I suppose there is an openssl.cnf file setting for this purpose? I notice the line "#subjectAltName=email:copy" in the system's openssl.cnf file. Thanks, -DavidVictor Duchovni <[EMAIL PROTECTED]> wrote: On Thu, Jun 08, 2006 at 11:40:04AM -0700, david kine wrote:> My code to retrieve the common name from the subject field is:> X509 *cert = [code not shown]> char pName[ 256 ];> X509_NAME *subj;> subj = X509_get_subject_name( cert );> X509_NAME_get_text_by_NID( subj, NID_commonName, pName,> 256);The encoding of the resulting buffer is not necessarily correct, you aregetting the raw ASN.1 string contents, not its UTF8 representation. Whilethe CN is not typically encoded for hostnames, this code is not robust.More robust logic can be found in the Postfix 2.3 snapshot release,currently: 2.3-20060604http://www.postfix.org/download.htmlThe function tls_text_name() in src/tls/tls_verify.c handles CommonNameextraction. This extracts the first commonName. Some suggest it shouldbe the last, others say you should match *any* CommonName in the DN. Thisis a mess, the DNS name extension is a lot cleaner. Code to insist thatthere is only CN is present "#ifdef 0".Code to look at DNSNames is in verify_extract_peer(), in src/tls/tls_client.c-- Viktor.__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: subjectAltName extension of type dNSName
On Thu, Jun 08, 2006 at 11:40:04AM -0700, david kine wrote: > My code to retrieve the common name from the subject field is: > X509 *cert = [code not shown] > char pName[ 256 ]; > X509_NAME *subj; > subj = X509_get_subject_name( cert ); > X509_NAME_get_text_by_NID( subj, NID_commonName, pName, >256); The encoding of the resulting buffer is not necessarily correct, you are getting the raw ASN.1 string contents, not its UTF8 representation. While the CN is not typically encoded for hostnames, this code is not robust. More robust logic can be found in the Postfix 2.3 snapshot release, currently: 2.3-20060604 http://www.postfix.org/download.html The function tls_text_name() in src/tls/tls_verify.c handles CommonName extraction. This extracts the first commonName. Some suggest it should be the last, others say you should match *any* CommonName in the DN. This is a mess, the DNS name extension is a lot cleaner. Code to insist that there is only CN is present "#ifdef 0". Code to look at DNSNames is in verify_extract_peer(), in src/tls/tls_client.c -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
subjectAltName extension of type dNSName
Hello, My secure client application performs post-connection fully-qualified-domain-name authentication. According to RFC 2818, "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used." My code to retrieve the common name from the subject field is:X509 *cert = [code not shown] char pName[ 256 ]; X509_NAME *subj; subj = X509_get_subject_name( cert ); X509_NAME_get_text_by_NID( subj, NID_commonName, pName, 256); My question: how do I retrieve the subjectAltName extension of type dNSName? Thanks, -David __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
