cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Finer control over certificate verification in SSL

From: Howard Chu <hyc_at_highlandsun.com>
Date: Tue, 01 Jun 2010 16:40:17 -0700

Don Dwiggins wrote:
> I have an application that includes a web server acting as a client to a
> "backend" server (using XMLRPC over HTTP), which has been working well. Now, I
> want to secure the connection using SSL, with the client verifying the backend
> server's certificate against a CA cert. I have this partially working.
>
> The problem I have is this: the application can be configured so that multiple
> backend serves may exist on the same machine, distinguished by their port
> numbers. So, I set the CN in the server certificate to something like
> "foo.bar.com:4060".

No client in the world will handle that. The CN is supposed to contain the
FQDN, nothing else. Why can't you use subjectAltName and put each backend
server on a different virtual IP address?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2010-06-02

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Finer control over certificate verification in SSL"
Previous message: Ben Greear: "Re: IMAP/SMTP/POP3 examples"
In reply to: Don Dwiggins: "Finer control over certificate verification in SSL"
Next in thread: Daniel Stenberg: "Re: Finer control over certificate verification in SSL"
Reply: Daniel Stenberg: "Re: Finer control over certificate verification in SSL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]