Re: Self-verifying names

Wed, 30 Nov 2005 13:42:43 -0800 

On Wed, Nov 30, 2005 at 04:18:44PM -0500, Sean Rhea wrote:

> All,
> 
> I'm trying to use OpenSSL in a rather peculiar way, and I wonder if  
> anyone here can help me out.  I have two peers.  Each has an RSA  
> public-private key pair and a self-signed X509 certificate.  What I'd  
> like to do is establish a TLS connection between the two of them  
> where each can learn the public key fingerprint of the party on the  
> other side, and also verify that the party on the other side knows  
> the corresponding private key.  I don't want to accept any other kind  
> of connections.  In particular, any request from a party with no  
> certificate or a non-self-signed certificate should be rejected.
> 
> The idea here is that I'm using a peer's public key as its identity.   
> I don't care what it's "real" name is, or about any of the rest of  
> the information in the X509 certificate for that matter.  All I care  
> is that it knows the private key corresponding to the public key that  
> it's using as its identity.
> 
> From the code I've played with so far, it seems that I'll need to  
> call SSL_CTX_set_verify with a callback that catches the error  
> OpenSSL generates when it finds a self-signed, non-root certificate,  
> and do my check in there.  But I can't figure out what functions to  
> use to check the signature on the self-signed cert, or how to confirm  
> that the public key in that cert is the same as the one the peer is  
> trying to use to authenticate the connection.
> 
> Am I making any sense?  Any ideas?
> 

This is completely doable. Example code to be found in many SSL
applications.

        http://www.postfix.org/TLS_README.html#server_vrfy_client
        http://www.postfix.org/TLS_README.html#server_access
        http://www.postfix.org/postconf.5.html#permit_tls_clientcerts

Source code:

        http://www.postfix.org/dowload.html

get 2.3-20051128 and look at:

        src/tls/tls_verify.c
        src/tls/tls_server.c
        src/tls/tls_client.c

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to