Hi all,
I'm wondering that the correct or recommended procedure is to verify
that a certificate matches the request domain.
If I tell SSLeay where my CA certs are stored then the certs are
verified:
$ HTTPS_CA_DIR=/etc/ssl/certs HEAD https://gmail.google.com
Where a self-signed cert (where I don't have the CA cert) will
generate an error:
500 SSL negotiation failed: error:1407E086:SSL
routines:SSL2_SET_CERTIFICATE:certificate verify failed
Now, my question is how to catch certs that don't match the domain.
For example going to https://gmail.com will report that the cert is
for mail.google.com.
Is there a method other then parsing the CN out of Client-SSL-Cert-Subject
header available that I should be using? Of is parsing that header the
recommended approach?
use LWP::UserAgent;
use HTTP::Request;
$ENV{HTTPS_CA_DIR} = '/etc/ssl/certs';
my $req = HTTP::Request->new( GET => 'https://gmail.com' );
my $res = LWP::UserAgent->new->simple_request( $req );
print $res->headers_as_string;
Connection: Close
Date: Sat, 29 Sep 2007 18:30:13 GMT
Location: https://mail.google.com/mail/
Server: gws
Content-Length: 226
Content-Type: text/html
Content-Type: text/html;charset=utf-8
Client-Date: Sat, 29 Sep 2007 18:30:13 GMT
Client-Peer: 64.233.171.83:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
Client-SSL-Cert-Subject: /C=US/ST=California/L=Mountain View/O=Google
Inc/CN=mail.google.com
Client-SSL-Cipher: AES256-SHA
Client-SSL-Warning: Peer certificate not verified
Set-Cookie:
PREF=ID=0bde9752f3ab3357:TM=1191090613:LM=1191090613:S=wn3s5qf6X18GZ3gs;
expires=Mon, 28-Sep-2009 18:30:13 GMT; path=/; domain=.google.com
Title: 301 Moved
--
Bill Moseley
[EMAIL PROTECTED]
