[stunnel-users] CN field of server cert
Michal Trojnara
Michal.Trojnara at mirt.net
Sun May 15 00:24:11 CEST 2005
Dear Anonymous,
(where is the traditional Polish politeness...)
On Saturday 14 of May 2005 22:50, spambox at poczta.onet.pl wrote:
> client = yes
> verify = 2
> CAfile = ThawteServerCA.txt
> [asd]
> accept = 127.0.0.1:60465
> connect = smtp.gmail.com:465
I don't think it's a good idea. You probably don't really *trust*
all companies that have a certificate signed by Thawte.
It's much better to have verify=3 and the exact certificate used
by the server as the CAfile parameter.
> I don't know how to enforce stunnel to verify CN field from server provided
> certificate.
What you need is cryptographic authentication.
CN verification is vulnerable to DNS poisoning.
> So, am I wrong that when someone hijack (mitm) this connection and provide
> any server cert signed by ThawteServerCA then I loose? Please add this
> verification to stunnel when verify is set to 2 or better as an separate
> option "verify_cn?" which could be used in service-level context.
No. I'm not going to give users a false sense of security.
> Usting this option with that described below I can drop 'verify' and
> 'CAfile' at all and feel much better. :)
No. You should download the peer certificate and verify it with verify=3.
Best regards,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20050515/4f328876/attachment.sig>
More information about the stunnel-users
mailing list