Surprise... Although the server certificate SHOULD be verified, IBM did not perform this check until APAR OA63164...
ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * On Tue, Jun 27, 2023 at 4:31 PM Charles Mills <charl...@mcn.org> wrote: > The check is "optional" on the application's part for z/OS System SSL: > > https://www.ibm.com/docs/en/zos/2.5.0?topic=reference-gsk-validate-server > > I use optional in quotes because the TLS protocol has two main purposes: > encryption (which is not under discussion here) and preventing a > man-in-the-middle attack. The server certificate proves the identity of the > server that the client has actually connected to -- proves that it is not > some imposter "in the middle." Yes, it is utterly possible for a client > application to skip that step, but it is a Really Bad Idea. > > If the user has specified an IP address then in some senses that is > equivalent to a URL, except that there is no way to check that the server > certificate is really for the site the user intended to connect to. (Unless > the certificate is in fact issued for an IP address -- which is rare.) > Actually, some servers now will not even allow a connection by IP address: > they demand a TLS protocol feature called Server Name Indication (SNI) in > which the client indicates the name they are trying to connect to early in > the TLS startup sequence. That lets a server respond differently depending > on exactly which DNS name the user has specified. > > Charles > > On Mon, 26 Jun 2023 18:57:13 -0700, Tom Brennan < > t...@tombrennansoftware.com> wrote: > > >In my limited (non-mainframe) experience with OpenSSL, I think it's up > >to the application to decide whether to check the common name in a > >validated cert with, say, a URL or IP address string. So it could be an > >older application didn't bother, and a newer one does. Just guessing. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
