On 08/02/12 12:43, Ondrej Mikle wrote:
On 02/07/2012 09:58 PM, Kai Engert wrote:
<snip>
That's a reason why I propose vouchers to be IP specific.
In my understanding, each IP will have only a single certificate,
regardless from where in the world you connect to it.
It's not true in general. There are services hidden with a load-balancer
behind a single IP. An example - 3m.com:
Also, a TLS Server might choose a different cert depending on the cipher
suite list provided by the TLS client.
e.g.
$ openssl s_client -connect tls.secg.org:40023 -cipher RSA 2> /dev/null
| grep "Certificate chain" -A 3
Certificate chain
0 s:/OU=SAMPLE ONLY/O=Certicom
Corp./L=Toronto/SN=Ontario/CN=tls.secg.org RSA 1024 Server Certificate/C=CA
i:/OU=SAMPLE ONLY/O=Certicom
Corp./L=Toronto/SN=Ontario/CN=tls.secg.org RSA 1024 Certificate
Authority/C=CA
---
vs
$ openssl s_client -connect tls.secg.org:40023 -cipher ECDSA 2>
/dev/null | grep "Certificate chain" -A 5
Certificate chain
0 s:/OU=SAMPLE ONLY/O=Certicom
Corp./L=Toronto/ST=Ontario/CN=tls.secg.org ECC secp256r1 Server
Certificate/C=CA
i:/OU=SAMPLE ONLY/O=Certicom
Corp./L=Toronto/SN=Ontario/CN=tls.secg.org ECC secp256r1 Certificate
Authority/C=CA
1 s:/OU=SAMPLE ONLY/O=Certicom
Corp./L=Toronto/SN=Ontario/CN=tls.secg.org ECC secp256r1 Certificate
Authority/C=CA
i:/OU=SAMPLE ONLY/O=Certicom
Corp./L=Toronto/SN=Ontario/CN=tls.secg.org ECC secp256r1 Certificate
Authority/C=CA
---
AFAIK, such configurations are not widespread today, but this would
change if/when ECC certs start to be used more widely.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
