Konstantin: You have a fundamental problem here - your server must be connected to, in order to identify itself with its certificate. Therefore, connection number 6, 7, 8, etc., won't even get the certificate to know that the server only has 5 connections possible.
If you want to use attribute certificates, and you *could* use these to let the users know that the server only accepts 5 certificates at a time, you need to set up an attribute authority - essentially, a configuration database that sends out signed values about your server, to your clients. Since no-one outside of a couple of Defense communities use attribute certificates, and, IIRC, SSL/TLS has no mechanism to transmit attribute certs, and certainly, no client that I am aware of that is in public knows how to consume attribute certs, you would have to add support for attribute certs to your clients as well. Unless you have some need to convey "queue position" or some similar UI element to the user (which certificates certainly can't help you with) - then just let TCP handle this for you - connection number 6 will get "connection refused" at the TCP layer, and will either try again, or give up and go away. If you need to do "queue position", then set up a proxy connection to another server with unlimited connections, and keep the user informed that way (or some other solution, probably better solution...) Have fun. Patrick. Konstantin Ivanov wrote: > David, > > What would be an approach then to implement such functionality.. I just asked > another question on Attribute certificates, but maybe you can comment on > that. > > Thank you very much > > > > > ________________________________ > From: David Schwartz <dav...@webmaster.com> > To: openssl-users@openssl.org > Sent: Wednesday, June 24, 2009 4:17:44 PM > Subject: RE: Custom SSL certificate parameters > > >> Is it possible to create custom parameters into a certificate. > > Yes. You can put anything you want in a certificate. It's basically just a > binary chunk of data that is signed. > >> For example, if I wish to have a certificate for a custom HTTP >> server which can only accept maximum of 5 concurrent users, >> can I incorporate this (lets say maxusercount parameter) into >> a certificate so at the server I can retrieve this value and >> only allow the number of users specified? > > Not really. Certificates do not work as certificates when the enforcer and > the enforcee are the same entity. Or, to put it more simply, a certificate > can tell you who someone else is but not who you are. If you do use a > certificate to do this, you are not actually using it as a certificate. > > The security properties of certificates fundamentally rely on the entity > processing the certificate to itself be trusted. So you can use Firefox to > convince you that you really reached Amazon.com, but you can't use Firefox > to convince you that you really used Firefox to reach them. > > Fundamentally, you must be authenticating something other than yourself. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
