On 26/06/2011 15:40, David Schwartz wrote: > On 6/26/2011 5:59 AM, Alain Knaff via RT wrote: > >> openssl s_client -connect hostname.domain.com:443 does not verify that >> the certificate matches the hostname. (i.e. hostname.domain.com should >> match either the CN of subject, or in one of the subjectAltNames) > >> Without such verification any web site owner who has a certificate can >> mount a man-in-the-middle attack against any other web site. > > The certificate is displayed. Because this is merely a test tool and > example code, that would seem to be sufficient.
Actually, it would be nice if it showed how to check the name. Apparently people forget to do that, and no surprise if the example code doesn't show how. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
