As folks may know, for most applications a SSL/TLS client is supposed to
check that the DNS name of the host as found in the server cert matches
the host name that the client is trying to connect to, ie the one that
supplies the service the client is trying to use. This check is not
mandated in the SSL or TLS specs per se, but is left to be defined by each
application protocol as part of its profile for using SSL/TLS.
Fortunately those that have been specified (IMAP, HTTP, LDAP, SMTP) are
more or less in sync. I include at the end of this message the language
from RFC 2595 on IMAP/POP/ACAP and TLS.
I'm no OpenSSL expert but it looks to me like it doesn't have any code
built-in to do this check; perhaps I've missed it. I've looked through
Lutz Jaenicke's postfix-tls code and see that he has implemented this
check there. It would seem to me to be a Good Thing to have this written
once, and made a part of OpenSSL, so many apps can use it, especially
since it seems to me to be a little tricky to get right (handling
subjectAltName etc). I'm curious whether anyone is working on this.
There is also the delicate question of exactly what name the app hands to
the check algorithm as the target host name. The text below is
unambiguous that it must be "what the user typed", not the canonical host
name as determined via DNS. This avoids DNS spoofing but raises some
serious deployment problems, in particular if a host has lots of aliases.
I don't propose to solve this here but merely note that handling this
correctly is yet another reason to not re-invent this wheel many times.
Thanks,
- RL "Bob"
---
(from RFC 2595)
2.4. Server Identity Check
During the TLS negotiation, the client MUST check its understanding
of the server hostname against the server's identity as presented in
the server Certificate message, in order to prevent man-in-the-middle
attacks. Matching is performed according to these rules:
- The client MUST use the server hostname it used to open the
connection as the value to compare against the server name as
expressed in the server certificate. The client MUST NOT use any
form of the server hostname derived from an insecure remote source
(e.g., insecure DNS lookup). CNAME canonicalization is not done.
- If a subjectAltName extension of type dNSName is present in the
certificate, it SHOULD be used as the source of the server's
identity.
- Matching is case-insensitive.
- A "*" wildcard character MAY be used as the left-most name
component in the certificate. For example, *.example.com would
match a.example.com, foo.example.com, etc. but would not match
example.com.
- If the certificate contains multiple names (e.g. more than one
dNSName field), then a match with any one of the fields is
considered acceptable.
If the match fails, the client SHOULD either ask for explicit user
confirmation, or terminate the connection and indicate the server's
identity is suspect.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
