cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Finer control over certificate verification in SSL

From: Howard Chu <hyc_at_highlandsun.com>
Date: Tue, 01 Jun 2010 16:40:17 -0700

Don Dwiggins wrote:
> I have an application that includes a web server acting as a client to a
> "backend" server (using XMLRPC over HTTP), which has been working well. Now, I
> want to secure the connection using SSL, with the client verifying the backend
> server's certificate against a CA cert. I have this partially working.
>
> The problem I have is this: the application can be configured so that multiple
> backend serves may exist on the same machine, distinguished by their port
> numbers. So, I set the CN in the server certificate to something like
> "foo.bar.com:4060".

No client in the world will handle that. The CN is supposed to contain the
FQDN, nothing else. Why can't you use subjectAltName and put each backend
server on a different virtual IP address?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-06-02