The check is "optional" on the application's part for z/OS System SSL:
https://www.ibm.com/docs/en/zos/2.5.0?topic=reference-gsk-validate-server I use optional in quotes because the TLS protocol has two main purposes: encryption (which is not under discussion here) and preventing a man-in-the-middle attack. The server certificate proves the identity of the server that the client has actually connected to -- proves that it is not some imposter "in the middle." Yes, it is utterly possible for a client application to skip that step, but it is a Really Bad Idea. If the user has specified an IP address then in some senses that is equivalent to a URL, except that there is no way to check that the server certificate is really for the site the user intended to connect to. (Unless the certificate is in fact issued for an IP address -- which is rare.) Actually, some servers now will not even allow a connection by IP address: they demand a TLS protocol feature called Server Name Indication (SNI) in which the client indicates the name they are trying to connect to early in the TLS startup sequence. That lets a server respond differently depending on exactly which DNS name the user has specified. Charles On Mon, 26 Jun 2023 18:57:13 -0700, Tom Brennan <t...@tombrennansoftware.com> wrote: >In my limited (non-mainframe) experience with OpenSSL, I think it's up >to the application to decide whether to check the common name in a >validated cert with, say, a URL or IP address string. So it could be an >older application didn't bother, and a newer one does. Just guessing. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
