> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Monday, 08 October, 2012 07:47
> Dave, any thoughts on my original question? My thread kind of > got hi-jacked. Not much, but since you ask: > -----Original Message----- > From: Charles Mills [mailto:charl...@mcn.org] > Sent: Saturday, October 06, 2012 9:52 AM > To: openssl-users@openssl.org > Subject: Best practice for client cert name checking > > I have recently written a product that incorporates SSL/TLS > server code that > processes client certificates. I designed what I thought made > sense at the > time but now I am wondering if what I did was best. > Whatever you, or your users/boss/customers/etc., need. The technical question is do you use -- that is, have your clients use -- "public" CAs (like Verisign etc.) or a CA that you control (operate or contract with)? If the latter, maybe you can limit issuance so that any cert issued by this CA and not revoked is a good client. (Although for openssl revocation checking to be accurate, either you must have some method to update CRLs often enough or you must implement OCSP.) > In the product's configuration file the sysadmin may > optionally include a > whitelist of client names. If the sysadmin does so, then the > server requests > a client certificate. At least one of the names (subject O= > and Alternative > names, including wildcards) in the certificate must match one > of the names > in the whitelist or I reject the session. > For public certs you may want CN (Common Name) as well as or even instead of O (Organization). > Something I saw recently got me to wondering whether I should > have made some > sort of provision for checking IP addresses: perhaps > verifying that the > client IP address appeared in the Alternative names in the client > certificate as well as in the whitelist? Or perhaps that the > IP address > matched an alternative name and the subject name appeared in > the whitelist? > I wouldn't. In much of today's internet IP addresses are not very stable at identifying machines, and even less so people. But it's up to your users/etc what they need, or want. FWIW, I work in a back-end environment where the systems that connect are relatively few and very stable, though distant, so we just have our own CA which issues certs to only valid clients. Your situation is likely different. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
