[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Verifying 'CN' in client certificates using TLS

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: Verifying 'CN' in client certificates using TLS
From: Steve Powers <sgp@pani.cx>
Date: Wed, 6 Feb 2002 13:03:53 +0000
Cc: Openldap-Liste <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <APEMLFLABCKGIOJBOHOCEEKMCEAA.hyc@highlandsun.com>; from hyc@highlandsun.com on Wed, Feb 06, 2002 at 04:15:35AM -0800
References: <20020206115120.D18020@contraption.co.uk> <APEMLFLABCKGIOJBOHOCEEKMCEAA.hyc@highlandsun.com>
User-agent: Mutt/1.2.5.1i

On Wed, Feb 06, 2002 at 04:15:35AM -0800, Howard Chu wrote:

> The OpenSSL library supports a callback function that can be used to augment
> the normal verification process. OpenLDAP doesn't do much with this callback
> other than print debug traces. You could always patch your slapd to use a
> more extensive check, extracting the CN, looking up the DNS info and failing
> the connection if things don't match. It seems to me that you're really not
> buying much security from doing this work. After all, the client cert can
> only be used by someone who possesses the matching private key. If your
> clients' private keys are already vulnerable enough that they can be
> compromised, then DNS/IP spoofing is irrelevant.

Thanks for the SSL references, I realise there are a few creases to still
iron out in this model. Another patch won't feel lonely though.....

Steve

References:
- Re: Verifying 'CN' in client certificates using TLS
  - From: Steve Powers <sgp@pani.cx>
- RE: Verifying 'CN' in client certificates using TLS
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: Kerberos and LDAP account creation
Next by Date: ACL for group
Index(es):
- Chronological
- Thread