Re: backport of socat
On Thu, 04 Feb 2016, micah wrote:
> Peter Palfrader <weasel@debian.org> writes:
>
> > The feature I want is that socat now actually checks the server's
> > name against the certificate it presents when using openssl-connect.
> > (Something that stunnel4 still doesn't do.)
>
> Maybe I misunderstand what you want, but you should be verifying the
> signature, not that the CN field of the cert matches what the server
> name is.... otherwise that is vulnerable to DNS poisoning or other
> falsehoods. Also, where does the "server's name" come from?
>
> If you dont verify the certificate is valid, and you just want to verify
> that the server name matches the CN, then if I'm doing a MiTM I just
> need to make sure my fake certificate uses the correct host name, and
> then I win because you don't verify the certificate. Perhaps you want to
> verify the signature, as well as the CN? This isn't a requirement of
> SSL/TLS, and as a result isn't in openssl, as far as I can tell
Of course we verify that the certificate is valid (i.e. has been signed
by a recognized CA, has not expired, etc). That's a given.
However, if I want to connect to ftp-master.debian.org, and I get a
valid certificate for www.example.com, that's not exactly good.
Yet this is something I cannot check for with stable socat and stunnel.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
Reply to: