hi Jack, On Wed, Jan 07, 2004 at 12:39:37AM -0800, [EMAIL PROTECTED] wrote: > Hmmm ... I see. The server certificate's CN is compared to the server's > name as it is provided to the client. This is unlike the behavior of > kerberos, which performs a reverse lookup of the server's IP to locate > it's principal. I suppose this solves my problem creating unique DNs > for each of my services. It poses, however, another problem. There are > potentially many names by which my server can be accessed - I would > rather not list them all in a certificate. Because I've used a wildcard > in my DNS configuration, there are actually an infinite number of names > by which my server can be accessed: a.server, aa.server, aaa.server,
some clients may accept wildcard in server certificate CN, "*.example.com" > ... Furthermore, I frequently supply to clients only the hostname, to > which the default domain is appended. In this case, the supplied name never read a rule to add a default domain before matching with subject CN fetched from a certificate I should also say it might be better to outline example.com once again: a web server advertised as "www.example.com" might be hosted at "dragonfly.example.com" using server certificate issued to "www.example.com". Browser would check that server certificate match URL specified by the user and be happy it really does. > is a proper prefix of the CN, and the two don't match: "example.com" is > appended to "smtp", but SSL unsuccessfully compares only "smtp" to the > server's CN, "smtp.example.com". It's up to a client to implement such a comparation rule and it's unlikely widely used. > Can openSSL be configured to compare > the certificate's CN to a reverse lookup of the server's IP? OpenSSL is an open-source tool that you can make doing something you'd like. At some point the user should be convinced an OpenSSL-liked product is doing the right thing and/or provided with a description what exactly it is doing. I'm curious what's the use of data from (unsigned?) reverse zone here regards, Vadim > Thanks, > > Jack > > On Jan 3, 2004, at 3:01 AM, Vadim Fedukovich wrote: > > > On Fri, Jan 02, 2004 at 02:09:39AM -0800, [EMAIL PROTECTED] wrote: > >> I run several SSL enabled services on a single host. Especially since > >> some of these don't run as root, I want to create a different > >> certificate, with a different DN, for each service. However, each > >> service certificates' CN must be the FQDN of the host. > > > > Are you sure? There might be "www.example.com", "mail.example.com" > > and "dragonfly.example.com" each resolving to the same IP address > > with dragonfly be the unix hostname and www be the apache ServerName. > > > >> The kerberos > >> principal syntax, "service/FQDN" (eg. "imap/hal.discovery") doesn't > >> work; the CN must match the FQDN exactly. > >> > >> Is there a recommended style for synthesizing unique DNs for different > >> services on the same host? > > > > What's the problem if someone type www.example.com to the browser and > > get server certificate issued to www (hosted at dragonfly)? > > > > regards, > > Vadim > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
