[openssl-users] SSL_CTX_set_cert_verify_callback and certificate access
Jordan Brown
openssl at jordan.maileater.net
Fri Jan 11 18:14:28 UTC 2019
On 1/10/2019 10:55 AM, Corey Minyard wrote:
> It is unusual, perhaps, but I'm trying to implement something like ssh
> does. I can't expect users of ser2net to obtain certificates from a
> real certificate authority, that's too high a barrier for entry. I
> want them to be able to generate a key pair, put the public key on the
> server in their account, and authenticate against that.
Nobody said you needed a real certificate authority. You need a
*trusted* certificate authority.
You could put the user's self-signed certificate into their account as a
trusted CA.
However... it seems like you're reinventing ssh. Your replacement for
ssh will likely require a custom client, which will be a pain in the
neck for your users. Maybe you should start with an existing ssh
library and hack it until it behaves the way you need.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190111/ee339e9d/attachment.html>
More information about the openssl-users
mailing list