[openssl-users] SSL_CTX_set_cert_verify_callback and certificate access

Jordan Brown openssl at jordan.maileater.net
Thu Jan 10 16:15:04 UTC 2019

On 1/9/2019 6:54 PM, Corey Minyard wrote:
> 2. Set the userid in the certificate and use client authentication to
>    authenticate the user logging in.  Set the username in the CN field
>    of the certificate so it can't be changed, extract that and set the
>    CA before verification.  This is what I'm currently trying to do,
>    and I keep running into roadblocks.

Why do you think you need to set the CA?

It seems like you should let OpenSSL verify the certificate against your
list of trusted CAs, and if it succeeds then you know that one of those
CAs vouches for this user's identity.  Then you look at their subject
name to derive the user ID (probably from its CN).  If you want to be
really paranoid - if you believe that Verisign can vouch for John and
Comodo can vouch for Sam, but not vice versa, factor the issuer name
into the process.

Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190110/eed329c9/attachment.html>

More information about the openssl-users mailing list