Hi,
I'm using openssl 0.9.4 on Sparc Solaris 2.6/2.7 for a webserver like
process which must recognize customers from a simple username/password
scheme or from a client certificate.
The customer 'subscription' is stored in a database where the username
is the unique identifier.
1) When using a client certificate I guess the unique username must be
stored in the certificate right ? Is the field Common Name (CN) used for
this purpose ? Am I guaranteed that this field is unique or is this up
to the CA issuing the certificate?
2) My server uses the call SSL_CTX_load_verify_locations(ssl_ctx,
CAfile, CApath) to load the CAs.
Is it correct that this function loads the CAs that my client
certificates can be signed by, meaning that these are the CAs I trust?
If the CA which signed the client certificate is not in this list, the
client will be rejected, right ?
When setting CAfile to NULL and CApath to e.g. "openssl-0.9.4/certs/" it
works fine and the server can read the client certificate.
I would however like to use the CAfile argument to specify a file
instead. It works well if I use "openssl-0.9.4/certs/vsign1.pem" (I am
using a test cert from Verisign). Can I just concatenate a file with all
the CAs I would like to support ? Is there such an official file within
the openssl distribution or can anyone make one ?
Best regards,
--
Flemming F. Jans
Manager, Software Development
Belle Systems A/S
Tel.: +45 5944 2500
Mobile: +45 2340 9375
Fax.: +45 5944 2588
E-mail: [EMAIL PROTECTED]
www.bellesystems.com
Defining the Future of IP Services
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
