For example, would something like this be the right way to verify a
client,
int postAcceptCheck(SSL_CTX* ssl, set<char*> allowed_clients)
{
X509* cert = SSL_get_peer_certificate(ssl);
if (cert)
{
X509_NAME* name = X509_get_subject_name(cert);
if (name)
{
int count = X509_NAME_entry_count(name);
// check if any field under Subject field
matches a client in our allowed set
for (int i=0; i<count; i++)
{
X509_NAME_ENTRY* entry =
X509_NAME_get_entry(name, i);
if (entry)
{
char value = new
char[entry->value->length + 1];
value[entry->value->length] = 0;
// null terminate string
strncpy(value,
entry->value->data, entry->value->length);
if (allowed_clients.find(value)
!= allowed_clients.end())
{
// client authenticated
X509_free(cert);
return
SSL_get_verify_result(ssl);
}
}
}
}
X509_free(cert);
}
return X509_V_ERR_APPLICATION_VERIFICATION;
}
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Edward Chan
> Sent: Wednesday, November 01, 2006 9:27 PM
> To: openssl-users@openssl.org
> Subject: RE: How to do client verification?
>
> I want to verify that whoever the client is claiming to be,
> is actually allowed to connect. However, I don't know where
> to find this information in the cert. Are there standard
> fields where this information can be found. For example, in
> the book, "Network Security with OpenSSL", there is sample
> code for verifying that the server is actually who the client
> connected to. It first looks for the "Subject Alternative
> Name" field, then looks for the "DNS" field within that and
> checks if this matches the hostname being connected to. If the "DNS"
> field is not found, it then checks the "Subject" field for
> the "Common Name" field and checks if this matches the
> hostname being connected to.
> Is this the proper way to verify the server cert? And would
> this work for most, if not all, server certs the client might
> receive? Are these typically the fields that one would use
> to enter the server's identity?
>
> I'm looking for something similar for verifying the client?
> Is there some set of fields that are typically used to enter
> the client's identity? Would the same fields be used for a
> client cert?
>
> I guess put a different way, if a webserver such as Apache
> was configured to require client authentication, what would
> it do to verify the client? And is there a standard set of
> things to check? Or does Apache give the administrator a way
> to configure the criteria for client authentication?
>
> Thanks in advance for taking the time to help out a rookie :)
>
> Ed
>
>
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
> > Sent: Wednesday, November 01, 2006 8:12 PM
> > To: openssl-users@openssl.org
> > Subject: RE: How to do client verification?
> >
> >
> > > I'm wondering what is the usual criteria for doing client
> > > verification? I've got everything coded to ask the client
> > for a cert,
> > > and I get the cert by calling SSL_get_peer_certificate().
> > But I don't
> > > know what to check for to verify the client's identity. Is
> > there some
> > > standard
> > > field(s) that are always present in a client certificate
> > that should
> > > be checked for?
> > > Any sample code to read these fields out of an X509*
> would also be
> > > greatly appreciated.
> >
> > The 95% answer to questions on this list applies to you -- what is
> > your threat model? What are you trying to prevent?
> >
> > When you say "verify the client's identity", what do you
> mean? Do you
> > mean:
> >
> > 1) Verify that the client is some one particular person.
> >
> > 2) Verify that the client was authorized by some one
> particular agent.
> >
> > 3) Verify that we know who the client is, regardless of who
> > specifically he is.
> >
> > Or what?
> >
> > DS
> >
> >
> >
> ______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List
> openssl-users@openssl.org
> > Automated List Manager
> [EMAIL PROTECTED]
> >
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
