Re: How to reject a certificate with access_denied?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 06/06/2022 18:08, Christian Schmidt wrote:
Hi,

I am building a server application that allows a user to log in by
providing a certificate. In order to do custom checks, I have added a
verify callback to my code to check the certificate on top of its
cryptographic features (CA Valid, etc).

If the certificate does not pass my extended checks, I would like to
return the access_denied alert as per RFC8446 section 6.2:

access_denied:  A valid certificate or PSK was received, but when
    access control was applied, the sender decided not to proceed with
    negotiation.

However, I can't find a way to generate this alert in openssl, although
openssl can handle receiving it.

How do I make a callback return a non-defined (as in not defined in the
headers) alert?

This is not currently possible.

OpenSSL has an internal table which maps verify errors to TLS alerts:

https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394

Unfortunately there are no entries in this table that map to the access_denied alert.

Matt



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux