I don't have the specific code, but it's not that much. I take it that
you're issuing your own certs with the acceptable client ip in the
"subjectAltName" - you might want to allow a range.
I have similar code but not for this purpose, so let's see if I can put
them together. My code looks at the subject name, so I might be wrong in
looking for the alt name in the subject, but it's a start.
SSL *ssl; /* client SSL struct, assume this exists */
int fd, l;
struct sockaddr client_addr;
char ip_addr[4*3+3+1];
X509 *cert;
X509_NAME *subject;
char subject_ip[300];
/* get the ip of client */
fd = SSL_get_fd(ssl);
l = sizeof(struct sockaddr);
getpeername(fd, &client_addr, &l); /* check rc! */
strcpy(ip_addr, inet_ntoa(client_addr.sin_addr));
/* look in cert for subject name? */
cert = SSL_get_peer_certificate(ssl);
subject = X509_get_subject_name(cert); /* check for NULL! */
X509_NAME_get_text_by_NID(subject, NID_subject_alt_name,
subject_ip, 300); /* check rc! */
if (strcmp(subject_ip, client_ip) != 0)
/* mismatch! */;
X509_free(cert); /* reduce reference count */
Steve
On Thu, 4 Oct 2001, Andy Schneider wrote:
> Does anyone have any canned code I could steal that does IP address
> validation. I.e. grabs the IP address from the alt subject name and
> compares it against the IP of the incoming socket?
>
> Andy S.
>
> > -----Original Message-----
> > From: Costas Magos [mailto:[EMAIL PROTECTED]]
> > Sent: 04 October 2001 15:40
> > To: [EMAIL PROTECTED]
> > Subject: SSL Handshake Failure !
> > Importance: High
> >
> >
> > Dear all,
> >
> > Sorry for posting the following again, but I am in a bit hurry.
> >
> > I'm running an Apache server (1.3.19) with openssl 0.9.6b on
> > Solaris 2.6 /
> > SPARCclassic platform. Apache serves a site that accesses a database
> > through various cgi-scripts or through a java applet for more
> > specialized
> > actions. The database is managed just fine with the
> > cgi-scripts, but when I
> > try to load the java applet to do some advanced
> > configuration, the browser
> > hangs at some point (while loading some classes) and the
> > server produces
> > the following error logs:
> >
> > [info] [client xxx.xxx.xxx.xxx] SSL accept timeout timed out
> > [error] SSL_accept failed
> >
> > and then
> >
> > [debug] apache_ssl.c(1123): Generating 512 bit key
> > [debug] apache_ssl.c(287): SSL_accept returned 0
> > [debug] apache_ssl.c(291): error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> > [debug] apache_ssl.c(379): Random input /dev/random(1024) -> 1024
> > [debug] apache_ssl.c(1123): Generating 512 bit key
> > [debug] apache_ssl.c(287): SSL_accept returned 0
> > [debug] apache_ssl.c(291): error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> > [debug] apache_ssl.c(379): Random input /dev/random(1024) -> 1024
> > [debug] apache_ssl.c(1123): Generating 512 bit key
> > [debug] apache_ssl.c(287): SSL_accept returned 0
> > [debug] apache_ssl.c(291): error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake
> >
> > What is going on? Could someone please help me? Any help
> > would be much
> > appreciated.
> >
> > Respectfully,
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Costas Magos
> > Ariadne-t Network Operation Center,
> > NCSR "Demokritos"
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > email: [EMAIL PROTECTED]
> > tel.: +30 1 6544279,
> > +30 1 6503125
> > fax: +30 1 6532910
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> >
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
