Re: SSL with dynamic IP
Jochen Schaefer wrote: does anybody know how to accept a SSL certificate where only the certificate date and the company which issued it have to be valid? I want to establish a SSL connection between 2 tomcat web server where both have the possibility to access each other. One has a static ip the other one a dynamic ip. I don't see your problem. Normally a certificate contains a host name, not an ip address. So long as the servers are addressed via unchanging host names, you can check whether the certificates contain the right host names. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL with dynamic IP
Jochen Schaefer wrote: [...] So, would it be possible to just name the certificate with the servers name for example "Myserver" and this server could have a dynamic IP or needs the certificate to be named "www.myserver.com"? The whole system I want to develop is that a user connects to a Server and triggers some commands to get/send data from or to a Dynamic IPServer. To connect the user to the static IPServer I use a SSL connection. For the connection to the dynamic IPServers I have the problem to authenticate them. Though the date and the company that issued it are known, cause its me, I don't need the IP address. An additional authentication will be done in the first one or two packets transferred between the servers to verfy its the correct one. How can I implement this in Tomcat or do I have to implement the whole authentication mechanism in my client, doing it manually instead of implementing it to tomcat? * Dynamic IPServer1* /using SSL(server auth. not needed)/ *Static IPServer*/using ssl/ *User* *Dynamic IPServer2 *Best regards Jochen So this sounds to me that you want to implement the server yourself . Then it's completely your choice which certificates you'll accept. The match betwen Hostname/IP and CN is only needed if you want to serve a browser using https. You should issue a certificate and set the CN to the user's name (or include some other information you need to verify that s/he should be given access, like the OU field) and check this in your server. Kind regards Ted ;) -- PGP Version: 2.6.3i Public Key Information Download complete Key from ftp://ftp.convey.de/ted/tedkey.asc Key fingerprint = 26 A9 0C 25 60 15 2C B2 D0 F3 A2 31 3D 35 F3 95 smime.p7s Description: S/MIME Cryptographic Signature
Re: SSL with dynamic IP
On Wed, Apr 07, 2004 at 02:39:27PM -0700, Jochen Schaefer wrote: > I want to establish a SSL connection between 2 tomcat web server where > both have the possibility to access each other. One has a static ip the > other one a dynamic ip. How about using a wildcard cert for the dynamic IP guy? Something like this: 1. Create a cert CN = "*.dyn.my.dom" for the server using dynamic IP. 2. Set up DNS such that all dynamic IPs that can be possibly used by the server PTRs to your_server.dyn.my.dom. 3. Set up that SSL server to identify itself as your_server.dyn.my.dom, so that it satisfies the wildcard CN. Modern browsers accept wildcard CN certs. You may have to configure/hack your static IP Tomcat server to do the same. BTW, I believe this technique works for multiple servers on dynamic IPs. Each server can have a different keypair. Unless the peer's SSL library enforces a 1-1 mapping between a CN (including a wildcard one) and the keypair, so if it sees the wildcard CN with a particular keypair it will reject other keypairs with the same wildcard CN. I wonder if OpenSSL does this. The 1-1 mapping I mean. Cheers. -- Ng Pheng Siong <[EMAIL PROTECTED]> http://firewall.rulemaker.net -+- Firewall Change Management & Version Control http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL with dynamic IP
Dr. Stephen Henson wrote: On Wed, Apr 07, 2004, Jochen Schaefer wrote: Hi everybody, does anybody know how to accept a SSL certificate where only the certificate date and the company which issued it have to be valid? I want to establish a SSL connection between 2 tomcat web server where both have the possibility to access each other. One has a static ip the other one a dynamic ip. There's no reason in principle why you can't do that. In practice there needs to be some way to authenticate the server. The usual way is to match the user supplied hostname to that in the certificate. If you want to do something else then how or if you can do it depends on the client software. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] So, would it be possible to just name the certificate with the servers name for example "Myserver" and this server could have a dynamic IP or needs the certificate to be named "www.myserver.com"? The whole system I want to develop is that a user connects to a Server and triggers some commands to get/send data from or to a Dynamic IPServer. To connect the user to the static IPServer I use a SSL connection. For the connection to the dynamic IPServers I have the problem to authenticate them. Though the date and the company that issued it are known, cause its me, I don't need the IP address. An additional authentication will be done in the first one or two packets transferred between the servers to verfy its the correct one. How can I implement this in Tomcat or do I have to implement the whole authentication mechanism in my client, doing it manually instead of implementing it to tomcat? * Dynamic IPServer1* /using SSL(server auth. not needed)/ *Static IPServer*/using ssl/ *User* *Dynamic IPServer2 *Best regards Jochen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL with dynamic IP
On Wed, Apr 07, 2004, Jochen Schaefer wrote: > Hi everybody, > > does anybody know how to accept a SSL certificate where only the > certificate date and the company which issued it have to be valid? > I want to establish a SSL connection between 2 tomcat web server where > both have the possibility to access each other. One has a static ip the > other one a dynamic ip. > There's no reason in principle why you can't do that. In practice there needs to be some way to authenticate the server. The usual way is to match the user supplied hostname to that in the certificate. If you want to do something else then how or if you can do it depends on the client software. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL with dynamic IP
Hi everybody, does anybody know how to accept a SSL certificate where only the certificate date and the company which issued it have to be valid? I want to establish a SSL connection between 2 tomcat web server where both have the possibility to access each other. One has a static ip the other one a dynamic ip. Thx for your help, best regards Jochen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
