Victor Duchovni wrote: > On Wed, Mar 07, 2007 at 02:28:33AM +0100, Vladislav Marinov wrote: > > >> I am trying to write a client/server application using the OpenSSL >> support for DTLS and I have a problem with the server validating the >> certificate of the client. >> > > Unless the server solicited the client connection, and was expecting > a connecting from a *given* client, it typically makes to sense to tie > the client credentials to the client's IP address, rather if you have > a client cert, that's the client you are talking to, and you apply any > rights/ACLs that go with that identity. > > The server is simply waiting for connections and when a client connects and presents a certificate I want to make sure that 1. The client has a valid X.509 certificate 2. The client who is presenting the certificate is the one who owns the certificate (to avoid attacks when a client presents a valid certificate that does not belong to him) This is why I want to extract information about who is the hostname/IP participating in the TLS handshake and compare it to the Common Name field in the certificate. >> I have my own function that does the >> validation - it compares the *physical* hostname/IP address of the >> client with the Common Name field of a X.509 certificate. >> > > Why? > > I mentioned the reasons above - I want to authenticate a specific hostname/IP address.
>> Does OpenSSL provide a function which can can return any >> information about the other peer that has initiated the handshake? >> > > Why? > > In TLS one can simply extract such information from the call to accept(). However in DTLS there is no call to accept(), so we have SSL_accept() and then we proceed to SSL_read() and SSL_write(). I cannot find a way to extract information about the other party in this DTLS connection. >> recvfrom() will not work for me because I need to >> know the IP/hostname whatever before I start receiving data from the >> peer (in order to verify its certificate). Any help will be greatly >> appreciated. >> > > What problem are you solving? Why do you need to validate the peer name > before the data is received? You can do it after the handshake is complete > just before you use the data. > > Basically I have my server waiting for connections from users. Think about the username being the IP address/ hostname of the client. If the client presents a valid certificate then this is considered a valid authentication. This is why it is important that the client does not present a certificate that belongs to somebody else and this is why I compare the hostname/IP address with what is in the common name field of the certificate. It doesn't really matter when I do the comparison i.e when I check the certificate with my validation function but my problem is that I cannot extract the IP address/hostname of the other party in the SSL connection. Vladislav ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
