I'm wondering what's the best way to check the identity of the peer i.e.
compare the commonName or subjectAltName included in the x509 cert with
the data I expect.
The book "Network Security with OpenSSL" calls this "Post-connection
assertions" (page 134).
I already managed to extract all that data from the x509 certificate so
that's not the issue.
So I call SSL_get_verify_result() and SSL_get_peer_certificate(). My
question is *when* to call these functions. Some alternatives come into
my mind. But I do not like any of them:
1. Call those functions when SSL_accept() (or SSL_connect()) returns
success.
That's not an option for me cos I want to use the implicit connection
setup provided by SSL_read() and SSL_write()
2. Use SSL_in_init() after every call to SSL_read() or SSL_write() and
see if the return value changes from true to false.
I don't like that option either because it feels like a hack. Also, I
guess it only works with SSL_read(). SSL_write() might send data before
I've got a chance to check if the subjectAltName matches with what I expect.
3. Use SSL_set_verify() and provide a callback function.
This sounds promising but the callback function gets called for every
certificate in the chain. How can I find out whether the certificate in
question is the peer's cert and not some intermediate cert?
Thanks and regards
Daniel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
