Re: backport of socat

[Peter Palfrader <weasel@debian.org>]

On Thu, 04 Feb 2016, micah wrote:

> Peter Palfrader <weasel@debian.org> writes:
> 
> > The feature I want is that socat now actually checks the server's
> > name against the certificate it presents when using openssl-connect.
> > (Something that stunnel4 still doesn't do.)
> 
> Maybe I misunderstand what you want, but you should be verifying the
> signature, not that the CN field of the cert matches what the server
> name is.... otherwise that is vulnerable to DNS poisoning or other
> falsehoods. Also, where does the "server's name" come from?
> 
> If you dont verify the certificate is valid, and you just want to verify
> that the server name matches the CN, then if I'm doing a MiTM I just
> need to make sure my fake certificate uses the correct host name, and
> then I win because you don't verify the certificate. Perhaps you want to
> verify the signature, as well as the CN? This isn't a requirement of
> SSL/TLS, and as a result isn't in openssl, as far as I can tell

Of course we verify that the certificate is valid (i.e. has been signed
by a recognized CA, has not expired, etc).  That's a given.

However, if I want to connect to ftp-master.debian.org, and I get a
valid certificate for www.example.com, that's not exactly good.

Yet this is something I cannot check for with stable socat and stunnel.

-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/