[Date Prev][Date Next]
Re: Verifying 'CN' in client certificates using TLS
On Wed, Feb 06, 2002 at 04:15:35AM -0800, Howard Chu wrote:
> The OpenSSL library supports a callback function that can be used to augment
> the normal verification process. OpenLDAP doesn't do much with this callback
> other than print debug traces. You could always patch your slapd to use a
> more extensive check, extracting the CN, looking up the DNS info and failing
> the connection if things don't match. It seems to me that you're really not
> buying much security from doing this work. After all, the client cert can
> only be used by someone who possesses the matching private key. If your
> clients' private keys are already vulnerable enough that they can be
> compromised, then DNS/IP spoofing is irrelevant.
Thanks for the SSL references, I realise there are a few creases to still
iron out in this model. Another patch won't feel lonely though.....