SSL (combined patches, notes)

Sat Dec 28 06:32:44 UTC 2002

Bear Giles <bear at coyotesong.com> writes:

> Suggested remaining tasks, besides some extensions mentioned in FIXMEs,
> include:

>  - track the amount of data transferred to perform periodic 
>    renegotiation of the session key (SSL_rehandhake()).

>  - use SSL_get_peer() to get verified client certificate, if
>    available, and use it to create an additional header line when
>    posting articles (X-Auth-Poster?).  This header could use

>      X509_NAME_oneline(X509_get_subject_name(peer),...)

>    for the full distinguished name, or

>      X509_name_get_text_by_NID(X509_get_subject_name(peer),
>        NID_commonName,...)

>    for the client's "common name" alone.

>  - use the server's key to generate an HMAC of the body of the 
>    message (and most headers?), then include that digest in the 
>    headers.  This allows a news administrator to determine if
>    a complaint about the content of a message is fradulent since
>    the message was changed after transmission.

Thanks, these have been included in INN's TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>