Personally I would have a second server outside the NAT device that proxies requests in and out of the server behind the firewall. There seems to me little point in having a firewall if you allow public access straight through it!
In that case you can secure the connection between the outside machine and the client machine without worrying about the firewall. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) >-----Original Message----- >From: Stanley Hopcroft [mailto:[EMAIL PROTECTED]] >Sent: 14 January 2002 09:36 >To: [EMAIL PROTECTED] >Subject: Re: Why DNS/IP in certificate? > > >Deear Ladies and Gentlemen, > >I am writing to thank you for your comments about this matter and ask > >On Thu, Jan 10, 2002 at 09:34:50AM -0500, Neff Robert A wrote: >> >> The client needs to verify who it is connected to. >> Anyone in the world can present a certificate to >> establish an ssl connection. In a nutshell, the >> checks that need to be made on the client end are: >> a. Do you trust the signer of the certificate received >> b. Is the CN contained within the cert what you expect >> > >..snip.. > >> Your next task is to ensure that the >> trusted cert truly came from the site you expected and >> not www.someothersite.com. The browser does this step by >> comparing the CN contained in the cert to the URL address >> typed into your browser. Your own app must do so as well... >> > >is it possible to have an OpenSSL server located behind a >Network Adress >Transalation device (a NET device is sometimes part of firewalls, eg >the Cisco PIX) and still have the client handshake complete without >error ? > >Here is the scenario. > >Server has valid certificate signed by root CA for Distinguished Name >'S'. > >DNS responds to an A record request from the client for S, with the >public interface of the NAT device (PTR query for that address also >returns S), but the OpenSSL server with that cert has a completely >different address (because its been translated) > >One might do this because of outsourcing or merger activities that >result in a new or different firewall. > >Presumably the network between the NAT box and the OpenSSL server is >secure enough to be tolerablee. > >So :- > >1 Will the scenario above work ? >2 If not, how can it be made to work ? > >Thank you, > >Yours sincerely. > >-- >--------------------------------------------------------------- >--------- >Stanley Hopcroft Network >Specialist >--------------------------------------------------------------- >--------- > >'...No man is an island, entire of itself; every man is a piece of the >continent, a part of the main. If a clod be washed away by the sea, >Europe is the less, as well as if a promontory were, as well as if a >manor of thy friend's or of thine own were. Any man's death diminishes >me, because I am involved in mankind; and therefore never send to know >for whom the bell tolls; it tolls for thee...' > >from Meditation 17, J Donne. >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
