If a client application is behind NAT, it does not have a real IP address. Certificate field 'common name' is supposed to contain a fully qualified domain name or a real IP address. Could the value of this field be ignored on SSL verification?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 reg14@rambler.ru wrote:
If a client application is behind NAT, it does not have a real IP address. Certificate field 'common name' is supposed to contain a fully qualified domain name or a real IP address.
Indeed, but only for server certificates.
Could the value of this field be ignored on SSL verification?
Common names of client certificates are not validated on SSL servers. stunnel does not validate common names at all, as, unlike web browsers, it does not allow for dynamic selection of servers. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOakpYACgkQ/NU+nXTHMtHl/ACgyML1o6zyiv9YewtDC6ldfEYY vq8AmwYf4evLbNCBKc0WdmYm5XEvbvN3 =Dvnl -----END PGP SIGNATURE-----
On 13/Jun/2014 at 07:56:38 +0200, Michal Trojnara wrote:
Common names of client certificates are not validated on SSL servers.
stunnel does not validate common names at all, as, unlike web browsers, it does not allow for dynamic selection of servers.
If I understand the man page properly, in transparent mode stunnel should connect to any server that a non-SSL aware client is going to.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 reg14@rambler.ru wrote:
stunnel does not validate common names at all, as, unlike web browsers, it does not allow for dynamic selection of servers. If I understand the man page properly, in transparent mode stunnel should connect to any server that a non-SSL aware client is going to.
You understand the man page properly, although in transparent destination mode it would not be possible for stunnel to verify the common name against DNS name of the server. Why? Because stunnel does not know the target server's DNS name, only its IP address. Only the original client knows the server name that resolved to this IP address. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOaqkAACgkQ/NU+nXTHMtFB6gCg8TFgyzDk4hkOYFscfF9KRBN/ hesAn0tG3hv1zsRX1Avqtpk69nCc9elQ =qSPH -----END PGP SIGNATURE-----
participants (2)
-
Michal Trojnara -
reg14@rambler.ru