On 17/06/2017 03:05 AM, Tony Harminc wrote:
It's validated the same way(s) any TLS client app (such as your desktop
browser) validates a server certificate. I'm not sure why you seem to think
this can't be done without client application program involvement.
There are 2 things that need to be validated with the certificate:
- That is is valid, i.e. has been signed by a trusted CA etc. AND
- That it belongs to the entity that the client is trying to connect to.
The description of AT-TLS says it takes control when the connection is
opened, but at this point name resolution has already occurred, hasn't it?
So how does AT-TLS know who the client is trying to connect to so it can
check the name in the certificate? I guess it would have to intercept
name resolution and assume that later connections to a resolved IP
address must match the name.
Or, maybe it is not intended for this type of general SSL connection.
I have been reading the documentation, but haven't been able to find
anything about how (or whether) the name in the certificate is validated.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
