On 25/11/15 19:22, Roland Zink wrote:
The resolution of a certificate is the domain name, e.g. it is valid for all services on the machine. If you get the certificate for a port then you may misuse it to intercept traffic to other ports / services.
This is certainly true for any certificate that asserts the DNS name only (irrespective of the vetting: DV, OV or EV). There's an inherent trust relationship between everyone running services under the same DNS name.
One potential solution is for the CA to issue a certificate that assert the DNS and port number together; for example, with a URI as the only SubjectAltName.
Unfortunately, it looks like there is no support in openssl/libressl for certificates with only URI-based SubjectAltName.
Cheers, Paul. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
