Re: SSL_CTX_set_cert_verify_callback and certificate access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate and use client authentication to
   authenticate the user logging in.  Set the username in the CN field
   of the certificate so it can't be changed, extract that and set the
   CA before verification.  This is what I'm currently trying to do,
   and I keep running into roadblocks.

Why do you think you need to set the CA?

It seems like you should let OpenSSL verify the certificate against your list of trusted CAs, and if it succeeds then you know that one of those CAs vouches for this user's identity.  Then you look at their subject name to derive the user ID (probably from its CN).  If you want to be really paranoid - if you believe that Verisign can vouch for John and Comodo can vouch for Sam, but not vice versa, factor the issuer name into the process.

-- 
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux