[openssl-users] SSL_CTX_set_cert_verify_callback and certificate access

Jakob Bohm jb-openssl at wisemo.com
Thu Jan 10 22:10:11 UTC 2019


On 10/01/2019 19:55, Corey Minyard wrote:
> On 1/10/19 11:00 AM, Michael Wojcik wrote:
>>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On 
>>> Behalf Of Jordan Brown
>>> Sent: Thursday, January 10, 2019 11:15
>>> On 1/9/2019 6:54 PM, Corey Minyard wrote:
>>>> 2. Set the userid in the certificate and use client authentication to
>>>>    authenticate the user logging in.  Set the username in the CN field
>>>>    of the certificate so it can't be changed, extract that and set the
>>>>    CA before verification.  This is what I'm currently trying to do,
>>>>    and I keep running into roadblocks.
>>> Why do you think you need to set the CA?
>> Agreed. That's an odd requirement.
>
> Thanks for the responses.
>
> It is unusual, perhaps, but I'm trying to implement something like ssh 
> does.  I can't expect users of ser2net to obtain certificates from a 
> real certificate authority, that's too high a barrier for entry.  I 
> want them to be able to generate a key pair, put the public key on the 
> server in their account, and authenticate against that.
>
> It's a balance of getting reasonable security that people will 
> actually use.
>
A simpler solution is to report "Any client CA accepted", then
compare the returned certificate fingerprint (strong hash of
DER-encoded end cert) against a user database, listing the
user name for each cert.

Validation then only checks if the certificate is revoked or
technically invalid (expired, claims to be signed by a CA
that didn't, syntactically invalid, wrong Extended-Key-Usage
etc.).  But signed by a completely unknown CA, or self-signed
is A-OK as long as the end cert is listed as belonging to that
user (similar to an SSH public key).

By the way, I do think ssh can be made to work by handing the
SSH library the actual serial port handles once the user has
been authenticated.  Some SSH libraries may even be able to
do things like BREAK via standard SSH mechanisms.




Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list