On 17 June 2017 at 01:45, Andrew Rowley <and...@blackhillsoftware.com> wrote:
> On 17/06/2017 03:05 AM, Tony Harminc wrote: > >> I'm not sure why you seem to think >> this can't be done without client application program involvement. >> > > There are 2 things that need to be validated with the certificate: > - That is is valid, i.e. has been signed by a trusted CA etc. AND > > - That it belongs to the entity that the client is trying to connect to. > > The description of AT-TLS says it takes control when the connection is > opened, but at this point name resolution has already occurred, hasn't it? > Presumably so. > So how does AT-TLS know who the client is trying to connect to so it can > check the name in the certificate? I guess it would have to intercept name > resolution and assume that later connections to a resolved IP address must > match the name. > I very much doubt it does that. > Or, maybe it is not intended for this type of general SSL connection. > I think it is, but there are limits. The application program always has the ability to perform its own operations wrt certificates, DNS, etc. etc. But of course this turns it from a drop-in does-everything solution to just an easier way of writing TLS into an app. > I have been reading the documentation, but haven't been able to find > anything about how (or whether) the name in the certificate is validated. Your question in the context of MITM is very interesting, and of course in light of the exposures of state-level actors' malfeasance over the last few years, has become critical. It would seem that checking the certificate name against the DNS name used to resolve the IP address is also not sufficient to stop MITM. Google, Firefox, and various others have been active in introducing public key pinning and such, but I don't think AT-TLS has any support for such things beyond the ability to require that the server cert be "on file" i.e. already stored in RACF. Really, I'm no expert on any of this. I commented originally because I have found it very easy to use AT-TLS to allow an existing program that uses TCP sockets to work in a TLS environment. You are probably right that it not only does not, but can not, cover everything. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
