SSL_CTX_set_cert_verify_callback and certificate access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm working on an application using openssl, and I would like to set some things up for verification based upon information in the certificate.  Unfortunately, from what I can tell, there is no way to do this.  (Maybe it's not a good idea.  Not sure.)

What I would like to do is pull out some information from the certificate that is being verified, set/modify the verify store based upon that information (basically chose the CA based upon something in the certificate.  What I really need is X509_STORE_CTX_get_cert(), but that function does not exist, and there's no way to get ctx->cert from what I can tell.  It's not available with SSL_get_peer_certificate at the point where the cert verify call is done.

It would also be nice to be able to replace the verify store in the X509_STORE_CTX, or empty it, but I haven't looked too hard at that.

More details on what I am trying to do follow, in case you are interested...

I am the maintainer for ser2net, a program that allows network connections to connect to serial ports.  People have asked for login security, but I refuse to transmit passwords like this over the network in the clear.  But, in reality, people are logging in over this interface, and it has bothered me for a while.  So, I've been looking at adding security.  I have rewritten ser2net to split it into two parts: a library that does general-purpose stream I/O to handle all the connections and the serial ports, and the main handling and configuration.  The library (called gensio) is a layered system, so you have TCP/UCP/SCTP/stdio/serial/IPMIsol available as low-level interfaces.  Then you have filter layers on top, like SSL and telnet.  So you can create an SCTP connection, put SSL on top of that, then put telnet on top of that, for instance.  I already have basic SSL support working.

My first inclination for a secure connection was to use ssh. However, ssh is not as well suited for this as I would have liked, and all the ssh libraries are tied to a file descriptor in ways that are not easily fixable, and thus can't be used on top of an abstract connection, which is what I need.  That was rather disappointing, as it would have been really nice to for users to just be able to ssh to ser2net.

So now I'm looking at doing something like what ssh does, but with openssl. Unfortunately, SSL has no concept of a userid and I would like to have it verify certificates from different stores based upon a userid.  I've come up with the following options:

1. Send the userid in a lower layer filter so it is transmitted before
   ssl starts up.  This means the userid is not authenticated in any
   way, which seems like a bad idea.
2. Set the userid in the certificate and use client authentication to
   authenticate the user logging in.  Set the username in the CN field
   of the certificate so it can't be changed, extract that and set the
   CA before verification.  This is what I'm currently trying to do,
   and I keep running into roadblocks.
3. Create a filter layer that can sit on top of SSL that will basically
   do what SSL client authentication does, except it can get the userid
   as the first part of the data and then run the authentication from
   there.  This is definitely doable, and then the userid is
   transmitted encrypted (which seems nice) but it's duplicating some
   fairly complex code that would already be done for me by openssl.

I am afraid I am going to be stuck with option 3, which is not terrible, I suppose.  But does anyone have any ideas here?

Thanks,

-corey

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux