> Hi,
>
> Does anyone know where in the certificate verification routine that it
> checks the "Common Name" field against the device's interface IP
> address?
You want to check the CN against what the higher-level code intended to
connect to. The SSL library has no idea what the higher-level code intended
to connect to, so it cannot do this check.
For example, if you try to connect to 'www.amazon.com' and the resolver
resolvers this to '72.21.206.5', you want to get a certificate for
'www.amazon.com'. A certificate for '72.21.206.5' would not prove to the
user that he reached 'www.amazon.com' because an attacker could redirect the
DNS.
Verifying that you got the "right certificate" as opposed to a valid
certificate is outside the scope of what the SSL layer can do.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
