On 06/26/2011 08:05 PM, Peter Sylvester wrote: > On 06/26/2011 02:59 PM, Alain Knaff via RT wrote: >> Hello, >> >> openssl s_client -connect hostname.domain.com:443 does not verify that >> the certificate matches the hostname. (i.e. hostname.domain.com should >> match either the CN of subject, or in one of the subjectAltNames) >> >> Without such verification any web site owner who has a certificate can >> mount a man-in-the-middle attack against any other web site. > verifying a hostname is not part of SSL/TLS layer. OTOH It might have been a good idea 10 years ago to have a function in openssl to permit hostname verification in case of usage for https, one might have avoided some strange certificate content. But extension support was somewhat weak.
... there are multiple common names, some clients test the last, some the first occurence in the DN. Some clients totally ignore subjectAltNames. etc. It would be interesting to see possible parameters for a function that would attempt to implement rfc6125. :-) regards ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
