Thanks.

My boss is not technical. I am the CTO of this product. Our customers are
your basic commercial customers. Yes, I picture that they would be their own
CA. Why pay Verisign if you don't have a bunch of people sitting at their
PCs trying to buy widgets from your Web site, and wondering if they can
trust it. Yes, I support a local CRL file.

I think our customers' situation is likely a LOT like yours: relatively few
machines, possibly distant and possibly on the public Internet. It's
basically an unattended box to unattended box product, so the problem is
identifying machines, not people.

Yes, IP addresses change. Obviously if someone is changing IP addresses a
lot they would have to change the whitelist a lot. 

I've got other fish to fry at the moment, but I kind of like the idea of
offering "if and only if the 'names' on the whitelist are IP addresses then
one (possibly wildcarded in the low-order node) must compare equal to the
incoming IP address, and the incoming IP address must also compare equal to
a (possibly wildcarded) name in the certificate."

This would *help* (everything is a help, right, nothing is absolute) with
the problem of a client certificate that "got away" into the wild, right?

Charles

-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson
Sent: Wednesday, October 10, 2012 12:48 PM
To: openssl-users@openssl.org
Subject: RE: Best practice for client cert name checking

> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Monday, 08 October, 2012 07:47

> Dave, any thoughts on my original question? My thread kind of got 
> hi-jacked.

Not much, but since you ask:

> -----Original Message-----
> From: Charles Mills [mailto:charl...@mcn.org]
> Sent: Saturday, October 06, 2012 9:52 AM
> To: openssl-users@openssl.org
> Subject: Best practice for client cert name checking
> 
> I have recently written a product that incorporates SSL/TLS server 
> code that processes client certificates. I designed what I thought 
> made sense at the time but now I am wondering if what I did was best.
> 
Whatever you, or your users/boss/customers/etc., need.

The technical question is do you use -- that is, have your clients use --
"public" CAs (like Verisign etc.) or a CA that you control (operate or
contract with)?
If the latter, maybe you can limit issuance so that any cert issued by this
CA and not revoked is a good client.
(Although for openssl revocation checking to be accurate, either you must
have some method to update CRLs often enough or you must implement OCSP.) 

> In the product's configuration file the sysadmin may optionally 
> include a whitelist of client names. If the sysadmin does so, then the 
> server requests a client certificate. At least one of the names 
> (subject O= and Alternative names, including wildcards) in the 
> certificate must match one of the names in the whitelist or I reject 
> the session.
> 
For public certs you may want CN (Common Name) as well as or even instead of
O (Organization). 

> Something I saw recently got me to wondering whether I should have 
> made some sort of provision for checking IP addresses: perhaps 
> verifying that the client IP address appeared in the Alternative names 
> in the client certificate as well as in the whitelist? Or perhaps that 
> the IP address matched an alternative name and the subject name 
> appeared in the whitelist?
> 
I wouldn't. In much of today's internet IP addresses are not very stable at
identifying machines, and even less so people.
But it's up to your users/etc what they need, or want.

FWIW, I work in a back-end environment where the systems that connect are
relatively few and very stable, though distant, so we just have our own CA
which issues certs to only valid clients. Your situation is likely
different.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to