On 06/26/2011 08:05 PM, Peter Sylvester wrote:
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
Hello,
openssl s_client -connect hostname.domain.com:443 does not verify that
the certificate matches the hostname. (i.e. hostname.domain.com should
match either the CN of subject, or in one of the subjectAltNames)
Without such verification any web site owner who has a certificate can
mount a man-in-the-middle attack against any other web site.
verifying a hostname is not part of SSL/TLS layer.
OTOH It might have been a good idea 10 years ago
to have a function in openssl to permit hostname
verification in case of usage for https, one might have
avoided some strange certificate content.
But extension support was somewhat weak.
... there are multiple common names, some clients test the
last, some the first occurence in the DN. Some clients
totally ignore subjectAltNames. etc.
It would be interesting to see possible parameters
for a function that would attempt to implement
rfc6125. :-)
regards
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
