Flemming Jans wrote:
> I'm using openssl 0.9.4 on Sparc Solaris 2.6/2.7 for a webserver like
> process which must recognize customers from a simple username/password
> scheme or from a client certificate.
>
> The customer 'subscription' is stored in a database where the username
> is the unique identifier.
>
> 1) When using a client certificate I guess the unique username must be
> stored in the certificate right ? Is the field Common Name (CN) used for
> this purpose ? Am I guaranteed that this field is unique or is this up
> to the CA issuing the certificate?
Since openssl is both open source and can generate certificates, I can't
think of a mechanism that could possibly guarantee that CNs were
unique! The simplest solution might be to use the hash of the
certificate (SSL_get_peer_certificate; x509_digest) - for all practical
purposes, this is unique.
> 2) My server uses the call SSL_CTX_load_verify_locations(ssl_ctx,
> CAfile, CApath) to load the CAs.
> Is it correct that this function loads the CAs that my client
> certificates can be signed by, meaning that these are the CAs I trust?
> If the CA which signed the client certificate is not in this list, the
> client will be rejected, right ?
Yes, more-or-less. For details see the discussion on certificate
chaining in December. Basically, the client may supply intermediate
certificates (so you might have a CA that signed X's certificate, and X
signed the client's certificate, and the client supplies both the client
certificate and the certificate of X). To avoid this, make sure that a
chain length other than one is rejected in the callback set with
SSL_CTX_set_verify using X509_STORE_CTX_get_error_depth (maybe this is
done by default - I do not know).
> When setting CAfile to NULL and CApath to e.g. "openssl-0.9.4/certs/" it
> works fine and the server can read the client certificate.
> I would however like to use the CAfile argument to specify a file
> instead. It works well if I use "openssl-0.9.4/certs/vsign1.pem" (I am
> using a test cert from Verisign). Can I just concatenate a file with all
> the CAs I would like to support ? Is there such an official file within
> the openssl distribution or can anyone make one ?
This works fine - just cat the files together.
Andrew
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
