> As my security experience is not very broad I think that as you properly
> pointed I was confused by the security model.
If this is a real-world application, you really need to stop *immediately*
and get someone with much more security experience to review what you're
doing. If we fix all the p
Victor Duchovni wrote:
On Wed, Mar 07, 2007 at 03:34:31AM +0100, Vladislav Marinov wrote:
This is why I want to extract information about who is the hostname/IP
participating in the TLS handshake and compare it to the Common Name
field in the certificate.
This makes no sense, the client could
On Wed, Mar 07, 2007 at 04:24:34AM +0100, Vladislav Marinov wrote:
> As my security experience is not very broad I think that as you properly
> pointed I was confused by the security model. From your words I see
> that only client X can present a certificate that belongs to client X.
Client cert
Hi again,
As my security experience is not very broad I think that as you properly
pointed I was confused by the security model. From your words I see
that only client X can present a certificate that belongs to client X.
Why? X.509 certificate simply ties an identity (DNS name for ex.) to a
publ
On Wed, Mar 07, 2007 at 03:34:31AM +0100, Vladislav Marinov wrote:
> > Unless the server solicited the client connection, and was expecting
> > a connecting from a *given* client, it typically makes to sense to tie
> > the client credentials to the client's IP address, rather if you have
> > a cli
Victor Duchovni wrote:
> On Wed, Mar 07, 2007 at 02:28:33AM +0100, Vladislav Marinov wrote:
>
>
>> I am trying to write a client/server application using the OpenSSL
>> support for DTLS and I have a problem with the server validating the
>> certificate of the client.
>>
>
> Unless the serve
On Wed, Mar 07, 2007 at 02:28:33AM +0100, Vladislav Marinov wrote:
> I am trying to write a client/server application using the OpenSSL
> support for DTLS and I have a problem with the server validating the
> certificate of the client.
Unless the server solicited the client connection, and was ex