[prev in list] [next in list] [prev in thread] [next in thread] 

List:       stunnel-users
Subject:    Check common name in server certificate?
From:       "Wagemans, P.C.C." <p.wagemans () kpn ! com>
Date:       1999-12-23 10:15:50
[Download RAW message or body]


Dear stunnelers,

Apologies if this issue has been discussed before (I failed to find it
in the mailing list archives). If so, please tell me where I can find
additional information.

I'm looking at the possibility of using stunnel as an SSL client for a
secure web server, with mutual authentication of both sides. This
works if you use "-v 3" and provide the client with the SSL server
certificate (and the CA chain). However, it seems more convenient if
you don't have to install the server certificate at the client
location whenever the server certificate is renewed. So I was looking
for a way to only check the common name in the server certificate, not
the complete certificate. Is there a way to do this?

If not, how about the following idea:

    Add a field remotehost to options.

    Add a command line option, e.g. -R <<remotehostname>>, to set that
    field.

    Do the following in verify_callback: if the error_depth is zero
    and both OPT_CLIENT and OPT_REMOTE present and the remotehost
    string is not empty, extract the common name from the current
    certificate and compare it with the specified remotehost string.
    Refuse the connection and log this if the strings don't match.

    Update docs, man page, print_help, ...

Then use it something like this:

    stunnel -c -v 2 -p <<client certificate file>> \
            -d <<listening address>>:<<port>> \
            -r <<remote host>>:<<port>> \
            -R <<common name in server certificate>> \
            <<service name>>

Any objections, problems, warnings or better solutions?

Regards,

Peter Wagemans

[prev in list] [next in list] [prev in thread] [next in thread]