On 1/9/2019 6:54 PM, Corey Minyard wrote: > 2. Set the userid in the certificate and use client authentication to > authenticate the user logging in. Set the username in the CN field > of the certificate so it can't be changed, extract that and set the > CA before verification. This is what I'm currently trying to do, > and I keep running into roadblocks.
Why do you think you need to set the CA? It seems like you should let OpenSSL verify the certificate against your list of trusted CAs, and if it succeeds then you know that one of those CAs vouches for this user's identity. Then you look at their subject name to derive the user ID (probably from its CN). If you want to be really paranoid - if you believe that Verisign can vouch for John and Comodo can vouch for Sam, but not vice versa, factor the issuer name into the process. -- Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
