On Thu, Jul 12, 2001 at 01:25:02PM +0000, skyper wrote:
> The programs are unclear about what to check the CN name against.
> If the user supplies an ip...should i check the CN name
> against the reverse lookup or dont do a check at all ?
>
> And if the user supplies a hostname ?
> Should i do a gethostbyname and also compare against
> the aliases if the usersupplied hostname does not match ?
> (the example applications dont do this...but it would be nice i think).
Consider the DNS to be an insecure source of information. The results
of any lookup (reverse or alias) must not be trusted.
You must compare the address given by the user with data given in
the certificate.
> Is there a way to poll all ciphers that are supported by the
> peer from the peer ?
In SSLv3/TLSv1 the client will send its list of supported ciphers to the
server. Therefore the server has the complete knowledge. The protocol
does not offer a way for the client, to get this list from the server.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
