Unfortunately I need a bit more than that. I have two things I'm trying to accomplish, both in the context of checking a client that is connecting to the server: 1. The OpenSSL code by default does not check the OCSP revocation servers when validating a certificate, and I haven't found a "built in" way to do that. Thus, I need to pull out the OCSP responder location from the certificate and check it myself. In this particular application the certificates all come from a private CA which has an OCSP server associated with it, and if a certificate is revoked it's important that it be immediately invalidated. I also wish to have the server operator be given the choice of either allowing the connection to proceed if the OCSP server fails to respond (e.g. is offline temporarily) or to drop the connection. 2. The server has both a "name" (which is usually a shorter version of the hostname; a short "nickname" is nice from a user interface perspective) it expects to connect and a password. While I could simply rely on the presentation of that from the client theft of that tuple would allow any valid certificate-bearing client to impersonate a different client. I can significantly harden against that risk by adding the SAN hostname to the database of names and passwords; now to be considered when the credential is presented the cert associated with that peer has to contain a SAN extension containing the expected DNS name as well. Thus, if you manage to steal a set of login credentials unless you *also* steal the certificate and key associated with it what you managed to get your hands on is worthless. I've got #2 working and am working on #1; it doesn't look all that awful to implement. On 1/13/2016 06:50, Michel wrote: > > Hi Karl, > > > > I believe it could be helpful to have a look at the 509_check_host() > and do_x509_check() source code in crypto\x509v3\v3_utl.c. > > Also, if you want to parse the SAN just for certificate validation, it > is now easier to use : > > https://www.openssl.org/docs/manmaster/crypto/X509_VERIFY_PARAM_set_flags.html > > > > Hope this helps, > > > > Regards, > > > > Michel. > > > > *De :*openssl-users [mailto:openssl-users-bounces at openssl.org] *De la > part de* Karl Denninger > *Envoy? :* lundi 11 janvier 2016 04:08 > *? :* openssl-users at openssl.org > *Objet :* Re: [openssl-users] (Probably) Silly Application Programming > Question > > > > Yeah, now I just have to figure out how to parse the X509 Extension > data from the certificate to pull out the SubjectAltName > information.... :-) > > There wouldn't be a snippet of code laying around somewhere that does > that given a X509 cert as input would there? It looks a bit arcane.... > > > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160113/9d1b32c3/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2996 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160113/9d1b32c3/attachment.bin>
