[stunnel-users] List of Distinguished names in Certificate Request message

Diarmuid O'Neill Diarmuid.ONeill at aepsystems.com
Wed Nov 17 18:59:40 CET 2004


At the moment, stunnel's client certificate verification implementation does not include any Distinguished Names (of the trusted CA certificates configured) in the Request Certificate message.  Strictly speaking this violates RFC2246 (see below, apologies for formatting), but to date I've only seen one client that has a problem with it.  Explorer deals with this by displaying all available user certificates.  If the Distinguished Names are included in the cert req it only displays client certs signed by the appropriate CAs.

The patch below does the necessary openssl bits and pieces to make up the lists of DNs so they're sent with the certificate requests.  This has been tested under linux only.

7.4.4. Certificate request When this message will be sent: A non-anonymous server can optionally request a certificate from the client, if appropriate for the selected cipher suite. This message, if sent, will immediately follow the Server Key Exchange message (if it is sent; otherwise, the Server Certificate message). Structure of this message: enum { rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), (255) } ClientCertificateType; opaque DistinguishedName<1..2^16-1>; struct { ClientCertificateType certificate_types<1..2^8-1>; DistinguishedName certificate_authorities<3..2^16-1>; } CertificateRequest; certificate_types This field is a list of the types of certificates requested, sorted in order of the server's preference. certificate_authorities A list of the distinguished names of acceptable certificate authorities. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used both to describe known roots and a desired authorization space. Note: DistinguishedName is derived from [X509]. Note: It is a fatal handshake_failure alert for an anonymous server to request client identification. 



This email and any files transmitted with it are confidential 
and intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email
in error please notify the postmaster at the address below.
ITS-Support at aepsystems.com

Unless the contrary is specifically indicated above nothing in
this message is intended to constitute an electronic signature
within the meaning of the Electronic Commerce Act 2000 or
similar legislation enacted elsewhere in the world.

This footnote also confirms that this email message has been swept for the presence of computer viruses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20041117/019a9562/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel_ca_list.patch
Type: application/octet-stream
Size: 2159 bytes
Desc: stunnel-4.05_ca_list.patch
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20041117/019a9562/attachment.obj>

More information about the stunnel-users mailing list