I want to verify that whoever the client is claiming to be, is actually allowed to connect. However, I don't know where to find this information in the cert. Are there standard fields where this information can be found. For example, in the book, "Network Security with OpenSSL", there is sample code for verifying that the server is actually who the client connected to. It first looks for the "Subject Alternative Name" field, then looks for the "DNS" field within that and checks if this matches the hostname being connected to. If the "DNS" field is not found, it then checks the "Subject" field for the "Common Name" field and checks if this matches the hostname being connected to. Is this the proper way to verify the server cert? And would this work for most, if not all, server certs the client might receive? Are these typically the fields that one would use to enter the server's identity?
I'm looking for something similar for verifying the client? Is there some set of fields that are typically used to enter the client's identity? Would the same fields be used for a client cert? I guess put a different way, if a webserver such as Apache was configured to require client authentication, what would it do to verify the client? And is there a standard set of things to check? Or does Apache give the administrator a way to configure the criteria for client authentication? Thanks in advance for taking the time to help out a rookie :) Ed > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz > Sent: Wednesday, November 01, 2006 8:12 PM > To: openssl-users@openssl.org > Subject: RE: How to do client verification? > > > > I'm wondering what is the usual criteria for doing client > > verification? I've got everything coded to ask the client > for a cert, > > and I get the cert by calling SSL_get_peer_certificate(). > But I don't > > know what to check for to verify the client's identity. Is > there some > > standard > > field(s) that are always present in a client certificate > that should > > be checked for? > > Any sample code to read these fields out of an X509* would also be > > greatly appreciated. > > The 95% answer to questions on this list applies to you -- > what is your threat model? What are you trying to prevent? > > When you say "verify the client's identity", what do you > mean? Do you mean: > > 1) Verify that the client is some one particular person. > > 2) Verify that the client was authorized by some one particular agent. > > 3) Verify that we know who the client is, regardless of who > specifically he is. > > Or what? > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
