Re: Authentication

Wed, 30 Nov 2005 10:56:28 -0800 

On Wed, Nov 30, 2005 at 07:32:07PM +0100, Peter Sylvester wrote:

> 
> C=FR;O=JANUS;CN="server1";CN=server2"
> 
> What I mean with LAST is: The code gives server1, but what should be 
> compared should be server2
> 

AFAIK multiple CNs are not valid in the context of at least server
certificates.  That is what SubjectAltName is for. The code in
question is cloned from original code by Lutz, which obtains
the CN in the same way.

> >Yes, that is its purpose, verifying DNS names in server certificates.
> >There is more code (not shown) that first looks at SubjectAltName:DNS...
>
> Yes, I suppose, all kinds of ssl client apss have almost the same code, 
> and often make the same error. :-)

The original code was written by Lutz Jaenicke, was it wrong?

       if (dNSName_found) {
           if (!hostname_matched)
               msg_info("Peer verification: %d dNSNames in certificate found, 
but no one does match %s", dNSName_found, TLScontext->peername_save);
       } else {
           buf[0] = '\0';
           if (!X509_NAME_get_text_by_NID(X509_get_subject_name(err_cert),
                          NID_commonName, buf, 256)) {
               msg_info("Could not parse server's subject CN");
               pfixtls_print_errors();
           }
           else {
               hostname_matched = match_hostname(buf, TLScontext);
               if (!hostname_matched)
                   msg_info("Peer verification: CommonName in certificate does 
not match: %s != %s", buf, TLScontext->peername_save);
           }
       }

Under what conditions would I find two CNs in an SSL server certificate?

> In fact, I believe that such code should be part of a utility function 
> in openssl
> that gets the dnsname and/Ip address as input and says whether the cert 
> is good for that.
> 

Well Postfix wants more control over the verification process, because
it optionally (and by default) allows unverified sessions to proceed, and
it wants to carefully support "*.domain.com" CNs with "*" matching just
one level of sub-domains, and ...

Ultimately, real-world applications write their own verification callbacks.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to