[Devel] Re: [Users] TLS setup
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Oct 11 09:20:08 CEST 2005
Cesc wrote:
> Hi,
> see inline ...
>
> On 10/10/05, *Bogdan-Andrei Iancu* <bogdan at voice-system.ro
> <mailto:bogdan at voice-system.ro>> wrote:
>
> Hi Juha,
>
> not sure, but maybe the certificated to be used should be selected based
> on the domain advertised in the received certificate. Like if you
> received a certificated advertising server1.com
> <http://server1.com>, you should use the
> client/server certificated you have with that domain....
>
>
> it just would not work.
> When you are dialing out you already know the cert you want to use
> (let's assume that you can select the cert when doing multidomain). In
> tls handshake, you are the client ... but the server must send its cert
> FIRST ... thus, me, as the receiving proxy (serving multi-domain), have
> no idea who you are, so i should provide you with my host cert (not the
> cert of the domain i am serving). I just checked the behavior of the web
> server which hosts my web domain and it does actually that (it presents
> me with its host certificate) and the browser pops a warning telling me
> that the cert subject and/or cn does not match my requested domain ...
> In ser, this could be dealt at the config level, automatically, provided
> some module provides this functionality ...
The first problem is: If my browser pops up I warning, I can decide if
the connection should be accepted or not (with some Internet experience
this should not be to difficult). But the proxy has no human
intelligence to decide.
The second problem: RFC3263 also states that by validating the domain in
the certificate it is possible to detect hacked nameserver entries. But
with your suggestion (using only a host certificate), this wouldn't be
possible.
regards
klaus
>
> Regards,
>
> Cesc
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
More information about the Devel
mailing list