[https/ssl] - CN verification: setAllowedNames() idea

Sun, 18 Feb 2007 12:01:52 -0800 

Hi,

Cross-posting is evil.  I know!  But
"[EMAIL PROTECTED]" only has six subscribers,
so I thought I'd try this by a slightly larger audience.

Here's the idea:


/**
* Offers a secure way to use virtual-hosting and SSL in some situations:
* for example you want to connect to "bar.com" but you know in advance
* that the SSL Certificate on that server only contains "CN=foo.com".  If
* you setAllowedNames( new String[] { "foo.com" } ) on your SSLClient in
* advance, you can connect securely, while still using "bar.com" as the
* host.
*
* Here's a code example using "cucbc.com" to connect, but anticipating
* "www.cucbc.com" in the server's certificate:
* <pre>
* SSLClient client = new SSLClient();
* client.setAllowedNames( new String[] { "www.cucbc.com" } );
* Socket s = client.createSocket( "cucbc.com", 443 );
* </pre>
*
* This technique is also useful if you don't want to use DNS, and want to
* connect using the IP address.
*
* @param allowedNames array of alternate "allowed names" to try against a
* server's x509 CN field if the host/ip we used didn't match.  Set to null
* to force strict matching against host/ip passed into createSocket().
* Null is the default value.  Must be set in advance, before createSocket() is
* called.
*/
public void setAllowedNames( String[] allowedNames )
{
        this.allowedNames = allowedNames;
}


Any comments?

The way I've coded it, things get kind of exciting with wildcards.
Here's a code example using "credential.com" to connect, but
anticipating "*.credential.com" in the server's certificate:

SSLClient client = new SSLClient();
client.setAllowedNames( new String[] { "ooga_booga.credential.com" } );
Socket s = client.createSocket( "credential.com", 443 );

But I think that actually makes sense in a wildcard kind of way.

(I plan to sell DVD's through late night infomercials called
"Certificates gone Wildcard").


--
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to