A client certificate does not identify an IP or domain name, a client certificate identifies a user.
A server certificate identifies an IP or domain name (usually domain name). And to follow up to your other question (how to make it a warning instead of an error): If you're programming, you set a callback for cert_verify (or whatever it's called, I'm too tired to look it up right now). Then, you can look at the verify return code -- if it's UNKNOWN_CA, then you can present a dialog to the user. This happens before any actual application data is transmitted on the wire. -Kyle H On 3/30/06, michael Dorrian <[EMAIL PROTECTED]> wrote: > > This is the scenario. I have a root CA which i use to sign both the client > certificate and server certificate. When you are checking the client > certificate all you are checking is if the ip address matches the ip address > in the certificate but the certificate and ip address could be anyones?. > Therefore all i need if i want to connect to the server is the same root CA > as the server and then make my own client certificate and then connect to > the server. In this case the root CA is all i need to have to make my client > CA. Therefore, why is this check needed at all?. > > > ________________________________ > Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates > starting at 1ยข/min. > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
