Deear Ladies and Gentlemen, I am writing to thank you for your comments about this matter and ask
On Thu, Jan 10, 2002 at 09:34:50AM -0500, Neff Robert A wrote: > > The client needs to verify who it is connected to. > Anyone in the world can present a certificate to > establish an ssl connection. In a nutshell, the > checks that need to be made on the client end are: > a. Do you trust the signer of the certificate received > b. Is the CN contained within the cert what you expect > ..snip.. > Your next task is to ensure that the > trusted cert truly came from the site you expected and > not www.someothersite.com. The browser does this step by > comparing the CN contained in the cert to the URL address > typed into your browser. Your own app must do so as well... > is it possible to have an OpenSSL server located behind a Network Adress Transalation device (a NET device is sometimes part of firewalls, eg the Cisco PIX) and still have the client handshake complete without error ? Here is the scenario. Server has valid certificate signed by root CA for Distinguished Name 'S'. DNS responds to an A record request from the client for S, with the public interface of the NAT device (PTR query for that address also returns S), but the OpenSSL server with that cert has a completely different address (because its been translated) One might do this because of outsourcing or merger activities that result in a new or different firewall. Presumably the network between the NAT box and the OpenSSL server is secure enough to be tolerablee. So :- 1 Will the scenario above work ? 2 If not, how can it be made to work ? Thank you, Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft Network Specialist ------------------------------------------------------------------------ '...No man is an island, entire of itself; every man is a piece of the continent, a part of the main. If a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friend's or of thine own were. Any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee...' from Meditation 17, J Donne. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
