On Fri, 2010-01-29 at 01:52 +0100, Dr. Stephen Henson wrote: > On Thu, Jan 28, 2010, Adam Grossman wrote: > > > hello, > > > > so close, yet so far.... > > > > i fixed it where the client is sending the it's certs over and the > > handshake is complete. but i have two problems: > > > > 1. for different clients, i have different CA certs. so i load them all > > up when the server starts up using: > > SSL_CTX_load_verify_locations(ssl_ctx, <CA cert location>,NULL) > > > > and then when it is time for a renegotiation, i call: > > SSL_set_client_CA_list(...) > > > > with only the CA names that the particular client's certs are for. but > > even when the CA certs CN and the client cert's issuer CN do not match, > > the handshake completes successfully. i'm i wrong in assuming that it > > should fail? or does openssl on the server side (which i am writing), > > does not check to make sure the the cert and the CA cert match? > > > > 2. Given the cert and CA certs, is there a nice and simple call, like > > SSL_make_sure_certs_match_CA_certs(X509 *cert, STACK_OF(X509_NAME) > > *ca_stack)? that would really make my day. > > > > > > You can check this youself using X509_NAME_cmp() on the issuer name of the > client certificate. Which you can retrieve using X509_get_issuer_name(cert). > > Steve.
thank you so much, it worked perfect. -=- adam grossman ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
