Sorry if I'm being dumb...but what if the certificate
was not generated using OpenSSL? Do I still access
this field of of subjectAltName by getting "DNS"? Is
"DNS" OpenSSL specific?
Ed
--- Christian Hohnstaedt <[EMAIL PROTECTED]>
wrote:
> Hi,
>
> The "DNS" refers to the configuration value in your
> openssl.cnf file
> it is the name of the "conf-value"
> e.g.
> subjectAltName = DNS:foo.bar.com, IP:10.11.12.13
>
> also look at doc/openssl.txt
>
> Greets
>
> Christian
>
>
> On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward
> Chan wrote:
> > Hi there,
> >
> > I'm looking at some code for doing post connection
> > checks to make sure the DNS name specified in the
> > certificate matches the host the client is trying
> to
> > connect to. The code is from Chapter 5 of
> "Network
> > Security with OpenSSL".
> >
> > It looks like it first gets the subjectAltName
> field
> > of the certificate, then tries to get the dNSName.
>
> > However, it specifies "DNS" instead of "dNSName".
> Is
> > this an error? Should it be "DNS" or "dNSName".
> And
> > if I want to check for IP address, should I
> specify
> > "iPAddress"?
> >
> > The code is below. The line
> >
> > if (!strcmp(nval->name, "DNS") &&
> !strcmp(nval->value,
> > host))
> >
> > looks suspicious to me.
> >
> >
> > long post_connection_check(SSL *ssl, char *host)
> > {
> > X509 *cert;
> > X509_NAME *subj;
> > char data[256];
> > int extcount;
> > int ok = 0;
> >
> > /* Checking the return from
> > SSL_get_peer_certificate here is not strictly
> > * necessary. With our example programs, it
> is
> > not possible for it to return
> > * NULL. However, it is good form to check
> the
> > return since it can return NULL
> > * if the examples are modified to enable
> > anonymous ciphers or for the server
> > * to not require a client certificate.
> > */
> > if (!(cert = SSL_get_peer_certificate(ssl)) ||
> > !host)
> > goto err_occured;
> > if ((extcount = X509_get_ext_count(cert)) > 0)
> > {
> > int i;
> >
> > for (i = 0; i < extcount; i++)
> > {
> > char *extstr;
> > X509_EXTENSION *ext;
> >
> > ext = X509_get_ext(cert, i);
> > extstr =
> >
>
OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
> >
> > if (!strcmp(extstr, "subjectAltName"))
> > {
> > int j;
> > unsigned char *data;
> > STACK_OF(CONF_VALUE) *val;
> > CONF_VALUE *nval;
> > X509V3_EXT_METHOD *meth;
> >
> > if (!(meth = X509V3_EXT_get(ext)))
> > break;
> > data = ext->value->data;
> >
> > val = meth->i2v(meth,
> > meth->d2i(NULL,
> &data,
> > ext->value->length),
> > NULL);
> > for (j = 0; j <
> > sk_CONF_VALUE_num(val); j++)
> > {
> > nval =
> sk_CONF_VALUE_value(val,
> > j);
> > if (!strcmp(nval->name, "DNS")
> &&
> > !strcmp(nval->value, host))
> > {
> > ok = 1;
> > break;
> > }
> > }
> > }
> > if (ok)
> > break;
> > }
> > }
> >
> > if (!ok && (subj =
> X509_get_subject_name(cert)) &&
> > X509_NAME_get_text_by_NID(subj,
> > NID_commonName, data, 256) > 0)
> > {
> > data[255] = 0;
> > if (strcasecmp(data, host) != 0)
> > goto err_occured;
> > }
> >
> > X509_free(cert);
> > return SSL_get_verify_result(ssl);
> >
> > err_occured:
> > if (cert)
> > X509_free(cert);
> > return X509_V_ERR_APPLICATION_VERIFICATION;
> > }
> >
> >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Y! Web Hosting - Let the expert host your web site
> > http://webhosting.yahoo.com/
> >
>
______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List
> [EMAIL PROTECTED]
> > Automated List Manager
> [EMAIL PROTECTED]
>
______________________________________________________________________
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
