[stunnel-users] Three patches

Magnus Therning magnus+stunnel at therning.org
Fri Jun 4 09:04:50 CEST 2010 

On 01/06/10 15:09, Michal Trojnara wrote:
> 
>Tristan Schmelcher wrote:
>> I saved the best for last. ;) This adds a "verify_dns" option to check the
>> CommonName in peer certificates against their DNS name when verifying, much
>> as web browsers do.
>>
>> I have seen posts from users asking for this feature in the past, so I
>> think it's value is self-evident.
> 
> The basic purpose of SSL/TLS is to prevent network-level attacks.  Many
> years ago I refused to implement this option as it's inherently vulnerable
> to DNS spoofing and cache poisoning.  I think my point stands even more
> nowadays with DNS cache poisoning attacks getting more and more popular.
> 
> Also stunnel, unlike web browsers, connects a predefined (static) list of
> servers.  It's much more secure to just download their certificates and
> check them with "verify = 3".
> 
> I think I could add a Windows GUI option to download and save remote
> certificates.  What do you think?

These were roughly the reasons for my implementing the verification for our
product:

  - "verify=2" only does crypto checks (what's built into OpenSSL).  This
    isn't what our customers expect and when they find out they bother me with
    questions ;-)  We're also certifying our product, and this very item came
    up there too.

  - Our product is (somewhat of) an appliance with our control software
    joining several of them together with a single master and many slaves.
    To offer only "verify=3" we'd need to get every server's cert out to every
    other server which would require adding a significant chunk of code to the
    system.

Given the above and the time constraints it was deemed to be a good middle
ground to implement hostname (or IP) verification in stunnel.

My ToDo-list still contains an item to make it possible to choose between
verify=2 (with hostname verification) and verify=3.

/M

-- 
Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
magnus@therning.org          Jabber: magnus@therning.org
http://therning.org/magnus         identi.ca|twitter: magthe

More information about the stunnel-users mailing list