Validating Client Certificates
Doug Hardie
bc979 at lafn.org
Thu Mar 14 03:50:17 UTC 2024
I am developing an application that clients will access. I don't want to use passwords as the users have shown a propensity to use easily guessed passwords etc. I am trying to use client certificates. I have setup a local CA that is used to generate the client certificates. The user's identity is entered into the subject CN.
My client certificates are properly accepted. However, I am unable to tell just what SSL_accept validates. I have not been able to find any documentation on what it actually checks. My testing shows that the client certificate must be signed by a known root certificate, but does SSL_accept verify that the signing certificate is the one indicated in the client certificate, and how does it check that? In my server, I am checking the certificate serial number. Is that necessary and sufficient to ensure that the certificate is the one I generated and not a fake?
It seems that it might be possible to create a CA that is certified by one of the known root certificates and use it to generate a client certificate with the identical issuer information. Obtaining the proper issuer serial number would take some work, but I suspect it is possible. The rest of that information is trivial. Thanks,
-- Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240313/16a492fa/attachment.htm>
More information about the openssl-users
mailing list