| #
26433cb1 |
| 10-Dec-2024 |
tb <tb@openbsd.org> |
Provide tls_peer_cert_common_name()
There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract
Provide tls_peer_cert_common_name()
There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract it from the peer cert's PEM by hand, but that way lies madness.
While the common name is close to being deprecated in the webpki, it is
still the de facto standard to identify client certs. It would be nice to
have a way to access the subject alternative names as well, but this is a
lot more difficult to expose in a clean and sane C interface due to its
multivaluedness.
Initial diff from henning, with input from beck, jsing and myself
henning and bluhm have plans of using this in syslogd.
ok beck
show more ...
|
| #
5f3c5205 |
| 10-Apr-2017 |
jsing <jsing@openbsd.org> |
Rework name verification code so that a match is indicated via an argument,
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers pr
Rework name verification code so that a match is indicated via an argument,
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers present in the certificate
(per section 6.4.4).
Previous behaviour questioned by Daniel Stenberg <daniel at haxx dot se>.
ok beck@ jca@
show more ...
|
| #
c67861f7 |
| 05-Apr-2017 |
beck <beck@openbsd.org> |
Add tls_peer_cert_chain_pem - To retreive the peer certificate and chain
as PEM format. This allows for it to be used or examined with tools
external to libtls
bump minor
ok jsing@
|
| #
b50cee5a |
| 22-Aug-2016 |
jsing <jsing@openbsd.org> |
Stick with the usual 'if NULL return NULL' idiom.
ok beck@
|
| #
f00a4e85 |
| 07-Oct-2015 |
beck <beck@openbsd.org> |
Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer certificate
validity times for tls connections.
ok jsing@
|
| #
ab8f2ec6 |
| 12-Sep-2015 |
beck <beck@openbsd.org> |
Move connection info into it's own private structure allocated and filled in
at handshake time. change accessors to return const char * to remove need
for caller to free memory.
ok jsing@
|
| #
c807f1c8 |
| 11-Sep-2015 |
beck <beck@openbsd.org> |
!= -> == that I broke while bikeshedding
|
| #
0fb5de82 |
| 11-Sep-2015 |
beck <beck@openbsd.org> |
add tls_peer functions for checking names and issuers of peer certificates.
ok jsing@
|
| #
a0ec9d6b |
| 11-Sep-2015 |
jsing <jsing@openbsd.org> |
Provide tls_peer_cert_hash() which returns a hash of the raw certificate
that was presented by the peer. The hash used is currently SHA256, however
since we prefix the result with the hash name, we c
Provide tls_peer_cert_hash() which returns a hash of the raw certificate
that was presented by the peer. The hash used is currently SHA256, however
since we prefix the result with the hash name, we can change this in the
future as the need arises.
The same output can be generated by using:
h=$(openssl x509 -outform der -in mycert.crt | sha256)
printf "SHA256:${h}\n"
ok beck@
show more ...
|