I am developing an application that clients will access. I don't want to use passwords as the users have shown a propensity to use easily guessed passwords etc. I am trying to use client certificates. I have setup a local CA that is used to generate the client certificates. The user's identity is entered into the subject CN. My client certificates are properly accepted. However, I am unable to tell just what SSL_accept validates. I have not been able to find any documentation on what it actually checks. My testing shows that the client certificate must be signed by a known root certificate, but does SSL_accept verify that the signing certificate is the one indicated in the client certificate, and how does it check that? In my server, I am checking the certificate serial number. Is that necessary and sufficient to ensure that the certificate is the one I generated and not a fake? It seems that it might be possible to create a CA that is certified by one of the known root certificates and use it to generate a client certificate with the identical issuer information. Obtaining the proper issuer serial number would take some work, but I suspect it is possible. The rest of that information is trivial. Thanks, -- Doug
|
