On 20/11/2022 23:46, Andrew Rowley wrote:
On 19/11/2022 8:19 pm, Peter Sylvester wrote:
It seems to me that this code currently poses a security risk.
Certificate validation always say OK. (well it is said like this in the code.)
Which terminal emulators actually validate the certificate?
Graeca sunt non leguntur (just read the next line).
x3270 performs certificate validation.
https://x3270.miraheze.org/wiki/Host_name_syntax
You can use something like
... -xrm c3270.caFile:./bigblue.crt
L:xxx.yyy.zzz..aaa:nnnn=mysandbox.bigblue.info
in case there is no DNS or you don't want a local /etc/hosts entry. Or if the server cert's
hostname is weird.
I would like to think all of them do, but the number of TLS tutorials that start by creating your
own CA suggests that certificate validation might not be common.
I still have some difficulty to determine the context of 'might no be common'. Certification
validation has several steps, at least the first one, i.e. checking the chain towards a known CA is
important. In the global CA trust pool, you want to check the hostname, and well, even this may not
be sufficient in the www, see later. There is a lot of "inertia"
OK, a simplified approach: There are different scenarii of tls secured
applications, e.g. :
- the global www with a huge number of CAs and the browsers.
- extranet "www" style with browsers (maybe/mostly with client certs) and a
company or dedicated CA.
I think that a "typical" TN3270 is not of the first type. It should be sufficient to provide the
company root ca to the tn3270 client.( TNZ 3270 seems to have the code to use a file, hardcoded)
You would not want to implement access to the "global www" local CA trust pool, i.e. you keep a
separate PKI environment. Using client certs may be optional depending on whether ... well, see more
later
- curl the starfighter, the Eier legene Wollmilchsau for all actually not, because the starfighter
was a broken plane.
Ok, the developer had 5 minutes to convince a manager to use TNZ. You just do a "pip install" and
here it goes. It is understandable that you want to avoid 4 minutes an 45 seconds to explain a CA
setup. Long history.
https://catless.ncl.ac.uk/Risks/6.16.html#subj3
https://www.youtube.com/watch?v=YtZqNAI4pBk
There could be a kind baby duck logic as with ssh. Or, if client certs are desired, I would use
(actually did 20 years ago), provide a PKCS12 that contains the client key pair plus (at least) the
trustworthy CA cert (or the whole chain).
https://web.archive.org/web/20030205235726/http://clepsydre.edelweb.fr/
or
https://web.archive.org/web/20070630213851/https://www.openevidence.org/
What would be the Internet without archive.org? George Orwell warned us.
BTW: The first project was done in less than a month by two persons. So complexity is not an issue.
no mythical man month problem. Actually, one person was replaced (no longer avail) after 10 days.
Compiling openssl on a Pentium II with windows NT, well, hours. Time to (re)-read the openssl api:-)
I don't think Vista does it :-(
There is always space (but maybe not time) for improvement :-)
I assume that TLS is set up before any TN3270 specific stuff happens so you can probably test it
by connecting to e.g. wrong.host.badssl.com port 443. A certificate error would show that the
certificate is being validated.
I;e. testing not only the things that are supposed to work but also the things that should not work.
In my x370 example, you would us use another hostname (right of =) or no ca.
The company I worked for once had its own PKI. Some of consultants used to travel and connect via
whatever. The company CA was not part of the "trust" set, so you should always get a warning, unless
you hit an interception proxy that creates a cert on the fly. (certified through the global ca
pool). That was 15 years ago.
One country Administration CA got blocked after detection of such a "proxy".
Chrome detected this ...
To verify whether your settings are ok, you can also use openssl s_client to connect the port 992
(or whatever) You (and everybody) can trace the certificate(s). Or get the CA cert like a baby duck
establishes trust to its mother when it sees her for the first time.
https://www.simplypsychology.org/Konrad-Lorenz.html
Best
Peter Sylvester
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
