Re: Service Certificate DN

Wed, 07 Jan 2004 01:43:07 -0800

Hmmm ... I see. The server certificate's CN is compared to the server's name as it is provided to the client. This is unlike the behavior of kerberos, which performs a reverse lookup of the server's IP to locate it's principal. I suppose this solves my problem creating unique DNs for each of my services. It poses, however, another problem. There are potentially many names by which my server can be accessed - I would rather not list them all in a certificate. Because I've used a wildcard in my DNS configuration, there are actually an infinite number of names by which my server can be accessed: a.server, aa.server, aaa.server, ... Furthermore, I frequently supply to clients only the hostname, to which the default domain is appended. In this case, the supplied name is a proper prefix of the CN, and the two don't match: "example.com" is appended to "smtp", but SSL unsuccessfully compares only "smtp" to the server's CN, "smtp.example.com". Can openSSL be configured to compare the certificate's CN to a reverse lookup of the server's IP?

Thanks,

Jack

On Jan 3, 2004, at 3:01 AM, Vadim Fedukovich wrote:

On Fri, Jan 02, 2004 at 02:09:39AM -0800, [EMAIL PROTECTED] wrote: 
I run several SSL enabled services on a single host. Especially since
some of these don't run as root, I want to create a different
certificate, with a different DN, for each service. However, each
service certificates' CN must be the FQDN of the host.


Are you sure? There might be "www.example.com", "mail.example.com"
and "dragonfly.example.com" each resolving to the same IP address
with dragonfly be the unix hostname and www be the apache ServerName.

The kerberos
principal syntax, "service/FQDN" (eg. "imap/hal.discovery") doesn't
work; the CN must match the FQDN exactly.

Is there a recommended style for synthesizing unique DNs for different
services on the same host?


What's the problem if someone type www.example.com to the browser and
get server certificate issued to www (hosted at dragonfly)?

regards,
Vadim
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to