Re: enforcing mutual auth from the client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 02, 2022 at 12:22:35AM +0000, Wall, Stephen wrote:

> > A compromised server could easily still request the client certificate, no?
> 
> > But as noted, even a compromised server can ask for client credentials and then
> 
> Yes, that's true.  If the intruder knew to do so.  Also, a thief can
> break your window and get into your car, so you might as well leave
> them rolled down all the time.
> 
> The question wasn't "Should I care that..."  or "Is it a good idea
> to...".  It was "Can OpenSSL 3 do this".

At the conclusion of the handshake you can enquire whether the
server sent a CertificateRequest by asking for the list of peer_CA_DNs,
via SSL_get0_peer_CA_list(3).

If I am not mistaken, the documentation fails to make clear that NULL is
returned when the server did not solicit a client certificate, and a
non-null (possibly empty) stack of X509_NAME is returned otherwise.

Of course this test should only be applied for a full handshake, reused
sessions piggyback on the certificates exchanged in the original full
handshake.

-- 
    Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux