[stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs
Tristan Schmelcher
tristan_schmelcher at alumni.uwaterloo.ca
Wed Jun 2 19:26:38 CEST 2010
On Wed, Jun 2, 2010 at 12:47 AM, Magnus Therning <
magnus+stunnel at therning.org <magnus%2Bstunnel at therning.org>> wrote:
> On Tue, Jun 1, 2010 at 19:46, Tristan Schmelcher
> <tristan_schmelcher at alumni.uwaterloo.ca> wrote:
> >
> >
> > On Tue, Jun 1, 2010 at 10:22 AM, Tristan Schmelcher
> > <tristan_schmelcher at alumni.uwaterloo.ca> wrote:
> >> On Tue, Jun 1, 2010 at 12:28 AM, Magnus Therning
> >> <magnus+stunnel at therning.org <magnus%2Bstunnel at therning.org>> wrote:
> [...]
> >>> 2. Is there any particular reason for not including SAN in the
> >>> verification as well?
> >>
> >> I confess that I have never heard of anything called SAN in the context
> of
> >> SSL/TLS, and I can't find anything about it online. Do you have a link?
> >>
> >
> > Oh, you mean SubjectAltName. I didn't implement that simply because the
> > certificates that I deal with do not have DNS names for their
> > SubjectAltName. I suppose it makes sense to do it, but it doesn't really
> add
> > any security because the SubjectAltName check passes if-and-only-if it's
> > equal to the CN and the CN check passes ... so it only fails if the
> > certificate is nonsense.
>
> I think you've gotten the use of SAN completely wrong. In fact, using the
> CN
> for the hostname is deprecated. This is from RFC 2818:
>
> If a subjectAltName extension of type dNSName is present, that MUST be
> used
> as the identity. Otherwise, the (most specific) Common Name field in the
> Subject field of the certificate MUST be used. Although the use of the
> Common Name is existing practice, it is deprecated and Certification
> Authorities are encouraged to use the dNSName instead.
>
> The use of SAN completements wildcards in a way. Using only CN you are in
> all
> practical cases limited to using wildcards, since most verifiers will only
> ever consider the first CN in the cert. Using SANs you can more easily
> restrict the cert to just a subset of the names that a server is known by.
>
>
Ah, yes that makes sense. I was going off of the behaviour of your original
patch, but I misread it (I expected to see "return" if it short-circuited
the remaining checks, so I didn't notice the "!ok" stuff). :P
In that case the optimal patch would be a combination of mine and yours. I
might see about putting that together.
> >>> 3. Are the patches released under GPL?
> >>
> >> No, I released them into the public domain since Michel requires that
> for
> >> any patches that are to be incorporated into mainline stunnel.
>
> Ah, excellent. I probably just missed that in your original email, or in
> the
> patches themselves.
>
>
Yeah, I stated it in the original email.
> /M
>
> --
> Magnus Therning (OpenPGP: 0xAB4DFBA4)
> magnus@therning.org Jabber: magnus@therning.org
> http://therning.org/magnus identi.ca|twitter: magthe
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100602/32e9afe1/attachment.html>
More information about the stunnel-users
mailing list