Leonid, The quick answer to your question is that YOU must parse the cert received from the client to determine whether s/he has access to your site or not. The use of a Verisign signed certificate, with the trusted Verisign CA cert chain contained within the OpenSSL CA cert store, simply means the received cert is signed by a trusted CA and that the SSL connection is considered trusted. See the following function descriptions to help you with cert parsing following a successful SSL connection:
PeerCert = SSL_get_peer_certificate(SSL) X509_NAME_oneline(X509_get_subject_name(PeerCert, buffer, 256)) /* add code to parse buffer for the CN of the client cert and validate peer */ X509_NAME_oneline(X509_get_issuer_name(PeerCert, buffer, 256)) X509_get_notBefor(PeerCert,(struct tm*)ptrTime)) X509_get_notAfter(PeerCert, (struct tm*)ptrTime)) For additional clarity, see also the info regarding trusted cert chains and loading of a server's cert and key: SSL_CTX_load_verify_locations SSL_CTX_set_default_verify_paths SSL_CTX_use_certificate_chain_file or SSL_use_certificate_file SSL_CTX_use_PrivateKey_file or SSL_use_PrivateKey_file HTH, Rob -----Original Message----- From: ZILBER,LEONID (HP-NewJersey,ex1) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 28, 2001 9:41 AM To: '[EMAIL PROTECTED]' Subject: RE: certs Michael and Jonathan, Thank you for your comments. I understand that server sends a list of accessible CAs. Here is the case I don't completely understand how it works. e.g. I have 2 VeriSign Client Certs, but only 1 VeriSign cert should be valid at the protected site. Although, they are issued from the same CA, the information inside of them is a little different. The server obviously has dn of VeriSign which acceptable CA, so both certs are valid (in terms of they are issued by an valid CA), but only one cert should be VALID to enter that specific site. In your response, you said, choice must be made, arbitratry choice? Who determinites that VeriSign Cert #1 even though is issued by the valid CA, is not valid to enter this site, while VeriSign Cert #2 is a valid one. Thank you in advance. Leon -----Original Message----- From: Michael Sierchio [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 9:12 PM To: [EMAIL PROTECTED] Subject: Re: certs "ZILBER,LEONID (HP-NewJersey,ex1)" wrote: > When a person browses to cert protected website a windows pops up asking to > choose which certificate you would like to present, in case the person has > several certs installed. > > Q1. When I choose a cert, how does a server determines if it is the right > cert or not? Part of the SSL handshake (in the case of the server requiring client auth) involves the server sending a list of DNs of acceptable CAs. The client presents a cert signed by (or a cert chain terminating in a cert signed by) one of those CAs. If the client has more than one user cert signed by one of the acceptable CAs, a choice must be made. > Q2. Is there a way to configure a server, so when a user gets to a cert > protected site, server can find the correct certs automatically in the user > repository, without prompting a user to choose the correct cert? The server doesn't find anything in the user repository -- it's up to the client. You can edit, presumably, the list of CAs trusted by the server to include only certs issued by your own CA, for example. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ***************************************************************** DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
