Sumit Bandyopadhyay wrote:
>
> Hello,
>
> My company is setting up a B2Bi integration network. As an optional part of
> this, we would like to use x509 certificate based client and server
> authentication.
>
> We found out that the typical server certificates we and our clients buy
> from Verisign have a specified purpose of 'SSL Server'.
> When we try to use the same certificate to authenticate one server to
> another server, modssl/openssl rejects the certificate from the client side,
> saying '[error] Certificate Verification: Error (26): unsupported
> certificate purpose'
>
> We could not find a way to get a certificate from Verisign which is valid as
> both a server and a client.
>
> We would rather not become a certificate issuer ourselves.
>
> How do people solve the issue of mutual certificate based authentication?
>
> Is there a way to turn off the certificate purpose in modssl/openssl without
> changing the source code?
>
> What kinds of security holes are we likely to run into if we try to turn off
> the check for certificate purpose?
>
The OpenSSL purpose checking it customisable. The default behaviour is
to verify client certificates using client certificate purpose and
server certificates for server purpose. You can override this and supply
your own purposes using the calls SSL_set_purpose and
SSL_CTX_set_purpose. So for your case you might do:
SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER);
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
