[Devel] TLS ...

Klaus Darilion klaus.mailinglists at pernau.at
Wed Feb 22 15:52:38 CET 2006


I just got another idea/question: How should the certificate parameters 
be exported?

° via AVPs during a dedicated call
   tls_get_cert_subject("s:cert_subject");

° via pre-defined AVPs
    tls_get_cert_params(); # copy parameters into
                           # predefined AVPs

° via pseude variables
   $cs	# certificate subject
   $cc	# certificate common name
   $cin	# certificate issuer name
   $cif	# certificate issuer fingerprint
   ...

any comments?

regards
klaus


Klaus Darilion wrote:
> Hi!
> 
> I've written a small tlsops module with the function is_peer_verified() 
> which allows to check if the request was received via validated TLS 
> connection.
> 
> This is done via:
> 1. get tcp connection of received msg
> 2. get extra data (= SSL)
> 3. SSL_get_verify_result(ssl);
> 
> This can be easily extended to fetch certificate parameters.
> 
> Consider a scenario where a TLS connection is setup and stays open for a 
> long time and there are lots of messages received via this connection.
> 
> Then, using the above steps might be a little bit complicated. Maybe it 
> might perform better to retrieve interesting parameters (common name, 
> issuer, ...) only once during tls_accept/tcp_connect and store them 
> together with the tcp connection (e.g. tcp_connection->extra_data2).
> 
> Thus, retrieving TLS parameters does not require to retrieve the 
> parameters from the openssl stack, but from the tcp_connection 
> structure. I do not know if this is really a performance gain - depends 
> on the handling inside of openssl.
> 
> Further: tcp_connection->extra_data
> Is this used only for storing SSL? If yes, maybe we should rename it to
> tcp_connection->ssl ?
> 
> regards
> klaus
> 
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel




More information about the Devel mailing list