On 27/06/11 11:54, Peter Sylvester via RT wrote: > On 06/26/2011 08:05 PM, Peter Sylvester wrote: >> On 06/26/2011 02:59 PM, Alain Knaff via RT wrote: >>> Hello, >>> >>> openssl s_client -connect hostname.domain.com:443 does not verify that >>> the certificate matches the hostname. (i.e. hostname.domain.com should >>> match either the CN of subject, or in one of the subjectAltNames) >>> >>> Without such verification any web site owner who has a certificate can >>> mount a man-in-the-middle attack against any other web site. >> verifying a hostname is not part of SSL/TLS layer. > OTOH It might have been a good idea 10 years ago > to have a function in openssl to permit hostname > verification in case of usage for https, one might have > avoided some strange certificate content. > But extension support was somewhat weak.
I think it is still a good idea to implement this. I've tried to use openssl to check certificate installations on our server. Indeed, it has happened often in the past that we had mixups with chained certificates. When this happens, the browser does not flag the problem, if the chain certificate happens to be in its cache due to an earlier visit to the same site (when it was still ok), or to another site which uses the same CA. So, when doing such tests with a browser, I need to be extra careful to manually remove any chained certificates, which is cumbersome. Openssl now looked promising for doing this test, as it doesn't have any such cache. But unfortunately, it doesn't catch mismatches with server names :-( > > ... there are multiple common names, some clients test the > last, some the first occurence in the DN. That's why it is useful to have a reliable test tool. > Some clients > totally ignore subjectAltNames. etc. Most mainstream clients nowadays do support subjectAltNames. > > It would be interesting to see possible parameters > for a function that would attempt to implement > rfc6125. :-) > > > regards > Thanks, Alain ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
