Re: Common Name: domain.com OR host.domain.com?

Tue, 11 Apr 2000 03:44:49 -0700 

On Mon, Apr 10, 2000 at 01:30:28PM -0400, Rob Bastille wrote:
> On Monday, April 10, 2000 10:50 AM, Jon Earle [SMTP:[EMAIL PROTECTED]] 
> wrote:
> > It would be whatever the machine is called, in your case,
> > secure.macinshop.be.  As I understand it, and folks, please correct any
> > misunderstandings, the CN within the certificate is used by the browser 
> to
> > verify that the machine sending the data is actually that box, and not 
> some
> > other box that someone at that site created.  The certificate is unique 
> to
> > a specific machine. 
> > ...
>   I believe that what you wrote isn't accurate.  The CN is actually the 
> name the ip address resolves to, and not the name the machine resolves to. 
>  If it were the machine, then you could only have on secure site per 
> machine.  This is not the case.  You can have as many secure sites on a 
> machine as you can IP addresses to support them.

The CN is the name, which the browser uses to check the identity. Hence it
should/must match the _expected_ name. So if you connect to
        www.aet.tu-cottbus.de
the common name of a certificate presented should be "www.aet.tu-cottbus.de",
even if "www..." is only a CNAME. The real hostname is "serv01..." and
this is also what you get for a reverse lookup on the IP-address.
If ftp would also be supported with SSL, the corresponding CN for the
certificate presented by the ftp-service would be "ftp.aet.tu-cottbus.de",
even though the machine is the same.
This is necessary, since a DNS lookup (forward or reverse) is insecure,
so you cannot rely on a CNAME resolution or a lookup of the IP number,
only on the name you (the user) are expecting.

[wildcards, if supported, must follow this rule, too.]

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to