On Thu, Jan 28, 2010, Adam Grossman wrote: > hello, > > so close, yet so far.... > > i fixed it where the client is sending the it's certs over and the > handshake is complete. but i have two problems: > > 1. for different clients, i have different CA certs. so i load them all > up when the server starts up using: > SSL_CTX_load_verify_locations(ssl_ctx, <CA cert location>,NULL) > > and then when it is time for a renegotiation, i call: > SSL_set_client_CA_list(...) > > with only the CA names that the particular client's certs are for. but > even when the CA certs CN and the client cert's issuer CN do not match, > the handshake completes successfully. i'm i wrong in assuming that it > should fail? or does openssl on the server side (which i am writing), > does not check to make sure the the cert and the CA cert match? > > 2. Given the cert and CA certs, is there a nice and simple call, like > SSL_make_sure_certs_match_CA_certs(X509 *cert, STACK_OF(X509_NAME) > *ca_stack)? that would really make my day. > >
You can check this youself using X509_NAME_cmp() on the issuer name of the client certificate. Which you can retrieve using X509_get_issuer_name(cert). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
