<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Unfortunately I need a bit more than that.<br>
<br>
I have two things I'm trying to accomplish, both in the context of
checking a client that is connecting to the server:<br>
<br>
1. The OpenSSL code by default does not check the OCSP revocation
servers when validating a certificate, and I haven't found a "built
in" way to do that. Thus, I need to pull out the OCSP responder
location from the certificate and check it myself. In this
particular application the certificates all come from a private CA
which has an OCSP server associated with it, and if a certificate is
revoked it's important that it be immediately invalidated. I also
wish to have the server operator be given the choice of either
allowing the connection to proceed if the OCSP server fails to
respond (e.g. is offline temporarily) or to drop the connection.<br>
<br>
2. The server has both a "name" (which is usually a shorter version
of the hostname; a short "nickname" is nice from a user interface
perspective) it expects to connect and a password. While I could
simply rely on the presentation of that from the client theft of
that tuple would allow any valid certificate-bearing client to
impersonate a different client. I can significantly harden against
that risk by adding the SAN hostname to the database of names and
passwords; now to be considered when the credential is presented the
cert associated with that peer has to contain a SAN extension
containing the expected DNS name as well. Thus, if you manage to
steal a set of login credentials unless you *also* steal the
certificate and key associated with it what you managed to get your
hands on is worthless.<br>
<br>
I've got #2 working and am working on #1; it doesn't look all that
awful to implement.<br>
<br>
<div class="moz-cite-prefix">On 1/13/2016 06:50, Michel wrote:<br>
</div>
<blockquote cite="mid:001201d14e01$0a94c1f0$1fbe45d0$@sales@free.fr"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"Préformaté HTML Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.PrformatHTMLCar
{mso-style-name:"Préformaté HTML Car";
mso-style-priority:99;
mso-style-link:"Préformaté HTML";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Karl,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
believe it could be helpful to have a look at the
509_check_host() and do_x509_check() source code in
crypto\x509v3\v3_utl.c.<br>
<br>
Also, if you want to parse the SAN just for certificate
validation, it is now easier to use :<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a
moz-do-not-send="true"
href="https://www.openssl.org/docs/manmaster/crypto/X509_VERIFY_PARAM_set_flags.html"><a class="moz-txt-link-freetext" href="https://www.openssl.org/docs/manmaster/crypto/X509_VERIFY_PARAM_set_flags.html">https://www.openssl.org/docs/manmaster/crypto/X509_VERIFY_PARAM_set_flags.html</a></a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hope
this helps,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Michel.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
openssl-users [<a class="moz-txt-link-freetext" href="mailto:openssl-users-bounces@openssl.org">mailto:openssl-users-bounces@openssl.org</a>] <b>De
la part de</b> Karl Denninger<br>
<b>Envoyé :</b> lundi 11 janvier 2016 04:08<br>
<b>À :</b> <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Objet :</b> Re: [openssl-users] (Probably) Silly
Application Programming Question<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Yeah, now I
just have to figure out how to parse the X509 Extension data
from the certificate to pull out the SubjectAltName
information.... :-)<br>
<br>
There wouldn't be a snippet of code laying around somewhere
that does that given a X509 cert as input would there? It
looks a bit arcane....<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
openssl-users mailing list
To unsubscribe: <a class="moz-txt-link-freetext" href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>