On Wed, Jan 07, 2004, [EMAIL PROTECTED] wrote: > Hmmm ... I see. The server certificate's CN is compared to the server's > name as it is provided to the client. This is unlike the behavior of > kerberos, which performs a reverse lookup of the server's IP to locate > it's principal. I suppose this solves my problem creating unique DNs > for each of my services. It poses, however, another problem. There are > potentially many names by which my server can be accessed - I would > rather not list them all in a certificate. Because I've used a wildcard > in my DNS configuration, there are actually an infinite number of names > by which my server can be accessed: a.server, aa.server, aaa.server, > ... Furthermore, I frequently supply to clients only the hostname, to > which the default domain is appended. In this case, the supplied name > is a proper prefix of the CN, and the two don't match: "example.com" is > appended to "smtp", but SSL unsuccessfully compares only "smtp" to the > server's CN, "smtp.example.com". Can openSSL be configured to compare > the certificate's CN to a reverse lookup of the server's IP? >
OpenSSL doesn't itself do the compare, other applications such as web browsers or email clients should do the compare. They specifically avoid reverse DNS lookups because that would make SSL vulnerable to DNS spoofing. You don't need to include all possible host names: just those which a client will use to access a service on the server. Its a good idea to use separate certificates for each service if possible, so smtp.hostname.com would be use in the SMTP server whereas www.hostname.com would be used in the webserver. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
