Re: Reference material on how to do certificate validation with OpenSSL

[Jakob Bohm]

On 10/27/2012 10:58 PM, Jeffrey Walton wrote:

On Sat, Oct 27, 2012 at 11:00 AM, Alban D. <blan...@gmail.com> wrote:

Hi everyone,

iSEC Partners just released a paper that provides detailed guidelines
and sample code on how to properly do certificate validation with
OpenSSL:
http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html

It is not trivial and so I thought this reference material could be
useful to people on this mailing list.

] Supporting wildcard certificates requires manually parsing
] the name to find the wildcard character, ensuring that it is
] in a valid location within the domain, and then trying to
] match the pattern with the server's expected hostname.
Don''t do it because it violates the Principal of Least Privilege. Why
should users be asked to trust the receptionist's machine in the lobby
or a developer's machine with nearly anything installed?

If you are in a multi-domain environment (such as Apache with virtual
hosts), use multiple certificates or Server Name Indication (SNI).

You obviously don't understand the proper uses and necessity of
wildcard certificates:

1. Many existing clients support no form of SNI (there are two forms
for HTTP) or use protocols that will have difficulty supporting it.

2. The business model of commercial CAs make it economically
infeasible for sites to acquire separate certificates for each low
visibility service, such as enabling STARTTLS on SMTP to a backup MX.
But acquiring a wildcard cert shared by all such services is
affordable and does not require a purchase bureaucracy every time an
additional server is brought online.

3. Being covered by a wildcard certificates name match does not give
a computer access to the private key needed to actually use that
certificate.  The security model is that the wildcard cert identifies
the organization, and the organization only installs the private key
on trusted servers.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org