RE: Avoiding "man in the middle" attacks
Greg Stark wrote: >As somebody stated there is difference between authentication and >authorization. Servers should be protected from "man in the middle" >attacks via "Access Control" software which authorize access to >files, servers, etc. via a triple combination of keys: >FQDN (fully qualified domain name), TCP-IP address and user name >(UID in Unix). None of those things provide any protection from man-in-the-middle attacks. Just because I attempted to connect to 1.2.3.4, www.foo.com doesn't mean the machine I'm actually talking to is 1.2.3.4, www.foo.com. You have to assume the man in the middle has complete control over the middle. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error Message : IP address does not match the server name
Hi, all I am have set up the openssl on a RedHat 6.1 .Have created a self-signed cert using the perl module CA.pl. When I try to send mail or receive mail using the SSL connection using Outlook 98 , the following error message occurs . "IP address does not match the server name" . I have entered my server name (host.domain) as my comman name (CN) in the certificate . I tried keying in the IP address and the error message no longer appears. So , I am wondering if this is due to DNS error ? (PS : I have set up an DNS server as well. When viewing the error log , error messages like "All A RR records are lame ").. Thank u in advance Regards, Sze Yee __ Do You Yahoo!? Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com.sg/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
extra chellenge password?
hi. i was creating a new cert for thawte website verification, when i noticed these 2 "extra" questions during the csr creation: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: are these used for anything? i'm confused as to what they're for. i couldn't find anything in the list archives about them. thanks for any info. -tcl. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Avoiding "man in the middle" attacks
Title: As somebody stated there is difference between authentication and authorization. Servers should be protected from "man in the middle" attacks via "Access Control" software which authorize access to files, servers, etc. via a triple combination of keys: FQDN (fully qualified domain name), TCP-IP address and user name (UID in Unix). Salvatore Ilardohttp://www.rokeby.com[EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Michael SierchioSent: Friday, October 27, 2000 3:30 PMTo: Greg StarkCc: [EMAIL PROTECTED]Subject: Re: Avoiding "man in the middle" attacksGreg Stark wrote:>> You need one more check. You need to check that the cert you are getting> comes from the site you wanted to connect to.That's not part of the protocol, it's something browsers do forthe naive user -- and has nothing to do with the man-in-the-middleattack. If you accept the DN presented in the cert, and that'swho you want to communicate with, the DNS name is rather irrelevant.And the integrity of DNS is far less sound than the cert identityof the presenter.__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]