On Jul 24, 2009, at 4:35 PM, Tony Arcieri wrote:
> What exactly are you trying to accomplish with a
> "post_connection_check"?
There are two levels of SSL certificate validation. First, you want
to verify that a peer''s certificate has valid contents (e.g.,
certificate isn''t malformed, expired, or revoked) and is properly
signed by a trusted CA. This is what the OpenSSL library does for you
automatically when it receives a peer cert (if you''ve configured the
context to require a peer cert).
Second, you want to verify that the identify specified in the peer
cert matches your peer. This is what post_connection_check does.
What check you do depends on your application, but it might include
things like checking that the common name stored in the cert matches
the domain name or IP address of your peer. For example, if you
connect to https://www.google.com, you want to make sure the cert is
for www.google.com and not for some other random site (just because
the cert is properly signed doesn''t mean that it''s valid for
the
particular connection). In my case, I need to make sure the cert
provided by a client of my service is correct for the actual client
host that connected to me (I do this by issuing client certs that have
an IP address in the common name field). This sort of SSL certificate-
based client authentication doesn''t happen on the web because client
authentication on the web happens in the application protocols (e.g.,
HTTP or higher level), but it''s needed for closed, secured private
services like mine.
Please see the implementation of post_connection_check in $RUBY_SOURCE/
ext/openssl/lib/openssl/ssl.rb for further details.
--Young