Re: CommonName in Thawte Server Certificates

Lutz Jaenicke Mon, 21 Aug 2000 05:30:06 -0700
On Mon, Aug 21, 2000 at 03:15:06PM +0300, Marko Asplund wrote:
> > The browsers don't have the slightest idea on the "server name". The only
> > reliable information is the URL. A hostname being obtained by DNS lookup
> > may already be faked by someone tampering with your DNS servers (or packets).
> > A server name sent by the server itself is also not trustworthy.
> > If you want to connect to "https://www.my-bank.com", you want to be sure
> > to be connected to www.my-bank.com and not to "www.bandits.org", regardless
> > of any other server names/DNS entries...
> 
> yes, but how is CommonName matched exactly? is it only matched against the
> hostname extracted from a URL? Thawte's web pages say that if
> CN=www.bandits.org this only matches to URLs that begin with
> https://www.bandits.org/. but what about e.g. imaps://www.bandits.org/ and
> https://www.bandits.org:3333/?

It matches all of these entries
- https://www.bandits.org/         is the normal https service at host
                                   www.bandits.org at port 443
- https://www.bandits.org:3333/    is the same host, but with https-service
                                   at port 3333
- imaps://www.bandits.org/         might be an SSL-wrapped IMAP server on host
                                   www.bandits.org, (normally port 993), but
                                   I don't know which browser supports this
                                   notation.

It would also match all "filenames" such as
  https://www.bandits.org/path/to/my/document
but it will not match names like
  https://www1.bandits.org/ or https://mail.bandits.org/
or
  https://host.www.bandits.org/

Consider the following practical example :-) I have a host named
  "serv01.aet.tu-cottbus.de" with the aliases "www" and "ftp"
If you want to connect to this host without seeing a "mismatch" warning,
you would need to connect to:
  "https://www.aet.tu-cottbus.de" (certificate issued for www...)
However, for other services like email, people must connect to "serv01"
which is actually the same host.
Example: submission of an email with TLS activated at port 25 with STARTTLS
extension (you need Netscape >= 4.5 or Outlook >= 5). Here you must enter
the hostname "serv01.aet.tu-cottbus.de" to not see the mismatch.
Try to connect to https://serv01.aet.tu-cottbus.de and you will see the
mismatch warning.

Please note, that my certificates are issued by our computer center with
the DFN-PCA as root certificate, which is not in the default database
of browsers...

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: CommonName in Thawte Server Certificates

Reply via email to
