[openssl-users] SSL_CTX_set_cert_verify_callback and certificate access
Corey Minyard
minyard at acm.org
Thu Jan 10 18:55:01 UTC 2019
On 1/10/19 11:00 AM, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jordan Brown
>> Sent: Thursday, January 10, 2019 11:15
>> On 1/9/2019 6:54 PM, Corey Minyard wrote:
>>> 2. Set the userid in the certificate and use client authentication to
>>> authenticate the user logging in. Set the username in the CN field
>>> of the certificate so it can't be changed, extract that and set the
>>> CA before verification. This is what I'm currently trying to do,
>>> and I keep running into roadblocks.
>> Why do you think you need to set the CA?
> Agreed. That's an odd requirement.
Thanks for the responses.
It is unusual, perhaps, but I'm trying to implement something like ssh
does. I can't expect users of ser2net to obtain certificates from a
real certificate authority, that's too high a barrier for entry. I want
them to be able to generate a key pair, put the public key on the server
in their account, and authenticate against that.
It's a balance of getting reasonable security that people will actually use.
-corey
More information about the openssl-users
mailing list