You can use altSubjectName for the IP address but you'll have to do the validation yourself (AFAIK) since OpenSSL doesn't. A cert is normally just specifies the DNS name of the server but I've encountered clients who want to lock things down more tightly than that (so they are immune to a DNS based attack I guess). The downside is you need to re-issue certs of you deploy the server on another node.
In openssl.cnf you'd use subjectAltName=IP:aaa.bbb.ccc.ddd when issuing
a request.
Your verification code would look a bit like this:
STACK_OF(GENERAL_NAME) *gens = static_cast<STACK_OF(GENERAL_NAME)
*>(X509_get_ext_d2i( peerCert, NID_subject_alt_name, 0, 0));
if ( gens != NULL ) {
for ( int index = 0; index < sk_GENERAL_NAME_num( gens ); index
++ ) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value( gens, index
);
// We got an IP address as an alternate name
if ( gen->type == GEN_IPADD ) {
unsigned char *ipBytes = ASN1_STRING_data
(gen->d.ip);
// IP is [0].[1].[2].[3] in dotted notiation
struct sockaddr_in clientAddress;
int len = sizeof(clientAddress);
getpeername (SSL_get_fd (ssl),
reinterpret_cast<struct sockaddr *> (&clientAddress), &len);
if (memcmp (&clientAddress.sin_addr, ipBytes, 4)
!= 0) {
// handle incorrect IP here
}
}
}
} else {
// handle lack of IP here
}
There maybe better ways of doing this, I'm not an OpenSSL expert - only
been using it for 3 months or so.
-----Original Message-----
From: Coughlan, Brian
Sent: Thu 11/29/2001 9:52 AM
To: '[EMAIL PROTECTED]'
Cc:
Subject: binding IP addresses to X.509 certificates for use with
OpenSSL?
Hi Guys,
I have come accross an issue here, where some fellow designers want to
generate an x.509 certificate for use with OpenSSL, but they want to
specifically bind the generated cert to only be used with one individual
IP
address. Is this possible? I have been doing a bit of reading up on
X.509
cert format, and I have yet to see any field or part of the cert, which
would contain an IP address value, or allow the cert to be used only
with a
specific IP address.
I had alsways thought that the cert was independent of the network
configuration of the machine it was being used on, but is this always
the
case?
Cheers,
Brian
<<winmail.dat>>
