Re: FQDN

Thu, 24 Jul 2003 23:59:59 -0700 

On Thu, Jul 24, 2003 at 03:43:43PM -0700, David Schwartz wrote:
> 
> > Please check this url:
> > http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
> > Server authentication, step 4
> > The only difference is that netscape just check domain name.
> 
> "Does the domain name in the server's certificate match the domain name of
> the server itself? This step confirms that the server is actually located at
> the same network address specified by the domain name in the server
> certificate. Although step 4 is not technically part of the SSL protocol, it
> provides the only protection against a form of security attack known as a
> Man-in-the-Middle Attack. Clients must perform this step and must refuse to
> authenticate the server or establish a connection if the domain names don't
> match. If the server's actual domain name matches the domain name in the
> server certificate, the client goes on to Step 5."

Technically, the TLS specification only cares about the cryptographical
issues and the certificate verification from the cryptographical point
of view as well as the certificate chain verification.

This is however -- as pointed out -- not sufficient. At the end of the
handshake and certificate verification it is only known, whether the
peer could send a trustworthy certificate or not.

The peer name check is required on a higher level, namely in the application
specific protocol, e.g. in RFC2818: "HTTP Over TLS", section 3:
Endpoint Identity.

  In general, HTTP/TLS requests are generated by dereferencing a URI.
  As a consequence, the hostname for the server is known to the client.
  If the hostname is available, the client MUST check it against the
  server's identity as presented in the server's Certificate message,
  in order to prevent man-in-the-middle attacks.

Other RFCs dealing with protocols using TLS contain respective formulations.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to