[openssl-users] SSL_CTX_set_cert_verify_callback and certificate access

Corey Minyard minyard at acm.org
Thu Jan 10 18:55:01 UTC 2019


On 1/10/19 11:00 AM, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jordan Brown
>> Sent: Thursday, January 10, 2019 11:15
>> On 1/9/2019 6:54 PM, Corey Minyard wrote:
>>> 2. Set the userid in the certificate and use client authentication to
>>>    authenticate the user logging in.  Set the username in the CN field
>>>    of the certificate so it can't be changed, extract that and set the
>>>    CA before verification.  This is what I'm currently trying to do,
>>>    and I keep running into roadblocks.
>> Why do you think you need to set the CA?
> Agreed. That's an odd requirement.

Thanks for the responses.

It is unusual, perhaps, but I'm trying to implement something like ssh 
does.  I can't expect users of ser2net to obtain certificates from a 
real certificate authority, that's too high a barrier for entry.  I want 
them to be able to generate a key pair, put the public key on the server 
in their account, and authenticate against that.

It's a balance of getting reasonable security that people will actually use.

-corey



More information about the openssl-users mailing list