[openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Rich Salz via RT
Hello,

openssl s_client -connect hostname.domain.com:443 does not verify that
the certificate matches the hostname. (i.e. hostname.domain.com should
match either the CN of subject, or in one of the subjectAltNames)

Without such verification any web site owner who has a certificate can
mount a man-in-the-middle attack against any other web site.

Thanks,

Alain

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

JoelKatz
On 6/26/2011 5:59 AM, Alain Knaff via RT wrote:

> openssl s_client -connect hostname.domain.com:443 does not verify that
> the certificate matches the hostname. (i.e. hostname.domain.com should
> match either the CN of subject, or in one of the subjectAltNames)

> Without such verification any web site owner who has a certificate can
> mount a man-in-the-middle attack against any other web site.

The certificate is displayed. Because this is merely a test tool and
example code, that would seem to be sufficient.

DS

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Ben Laurie-2
On 26/06/2011 15:40, David Schwartz wrote:

> On 6/26/2011 5:59 AM, Alain Knaff via RT wrote:
>
>> openssl s_client -connect hostname.domain.com:443 does not verify that
>> the certificate matches the hostname. (i.e. hostname.domain.com should
>> match either the CN of subject, or in one of the subjectAltNames)
>
>> Without such verification any web site owner who has a certificate can
>> mount a man-in-the-middle attack against any other web site.
>
> The certificate is displayed. Because this is merely a test tool and
> example code, that would seem to be sufficient.

Actually, it would be nice if it showed how to check the name.

Apparently people forget to do that, and no surprise if the example code
doesn't show how.

--
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Peter Sylvester-3
In reply to this post by Rich Salz via RT
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
> Hello,
>
> openssl s_client -connect hostname.domain.com:443 does not verify that
> the certificate matches the hostname. (i.e. hostname.domain.com should
> match either the CN of subject, or in one of the subjectAltNames)
>
> Without such verification any web site owner who has a certificate can
> mount a man-in-the-middle attack against any other web site.
verifying a hostname is not part of SSL/TLS layer.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Rich Salz via RT
On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
> Hello,
>
> openssl s_client -connect hostname.domain.com:443 does not verify that
> the certificate matches the hostname. (i.e. hostname.domain.com should
> match either the CN of subject, or in one of the subjectAltNames)
>
> Without such verification any web site owner who has a certificate can
> mount a man-in-the-middle attack against any other web site.
verifying a hostname is not part of SSL/TLS layer.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Peter Sylvester-3
In reply to this post by Peter Sylvester-3
On 06/26/2011 08:05 PM, Peter Sylvester wrote:

> On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
>> Hello,
>>
>> openssl s_client -connect hostname.domain.com:443 does not verify that
>> the certificate matches the hostname. (i.e. hostname.domain.com should
>> match either the CN of subject, or in one of the subjectAltNames)
>>
>> Without such verification any web site owner who has a certificate can
>> mount a man-in-the-middle attack against any other web site.
> verifying a hostname is not part of SSL/TLS layer.
OTOH It might have been a good idea 10 years ago
to have a function in openssl to permit hostname
verification in case of usage for https, one might have
avoided some strange certificate content.
But extension support was somewhat weak.

... there are multiple common names, some clients test the
last, some the first occurence in the DN. Some clients
totally ignore subjectAltNames. etc.

It would be interesting to see possible parameters
for a function that would attempt to implement
rfc6125. :-)


regards

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Rich Salz via RT
On 06/26/2011 08:05 PM, Peter Sylvester wrote:

> On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
>> Hello,
>>
>> openssl s_client -connect hostname.domain.com:443 does not verify that
>> the certificate matches the hostname. (i.e. hostname.domain.com should
>> match either the CN of subject, or in one of the subjectAltNames)
>>
>> Without such verification any web site owner who has a certificate can
>> mount a man-in-the-middle attack against any other web site.
> verifying a hostname is not part of SSL/TLS layer.
OTOH It might have been a good idea 10 years ago
to have a function in openssl to permit hostname
verification in case of usage for https, one might have
avoided some strange certificate content.
But extension support was somewhat weak.

... there are multiple common names, some clients test the
last, some the first occurence in the DN. Some clients
totally ignore subjectAltNames. etc.

It would be interesting to see possible parameters
for a function that would attempt to implement
rfc6125. :-)


regards


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Alain Knaff-2
On 27/06/11 11:54, Peter Sylvester via RT wrote:

> On 06/26/2011 08:05 PM, Peter Sylvester wrote:
>> On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
>>> Hello,
>>>
>>> openssl s_client -connect hostname.domain.com:443 does not verify that
>>> the certificate matches the hostname. (i.e. hostname.domain.com should
>>> match either the CN of subject, or in one of the subjectAltNames)
>>>
>>> Without such verification any web site owner who has a certificate can
>>> mount a man-in-the-middle attack against any other web site.
>> verifying a hostname is not part of SSL/TLS layer.
> OTOH It might have been a good idea 10 years ago
> to have a function in openssl to permit hostname
> verification in case of usage for https, one might have
> avoided some strange certificate content.
> But extension support was somewhat weak.

I think it is still a good idea to implement this.

I've tried to use openssl to check certificate installations on our
server. Indeed, it has happened often in the past that we had mixups
with chained certificates. When this happens, the browser does not  flag
the problem, if the chain certificate happens to be in its cache due to
an earlier visit to the same site (when it was still ok), or to another
site which uses the same CA. So, when doing such tests with a browser, I
need to be extra careful to manually remove any chained certificates,
which is cumbersome.

Openssl now looked promising for doing this test, as it doesn't have any
such cache. But unfortunately, it doesn't catch mismatches with server
names :-(

>
> ... there are multiple common names, some clients test the
> last, some the first occurence in the DN.

That's why it is useful to have a reliable test tool.

> Some clients
> totally ignore subjectAltNames. etc.

Most mainstream clients nowadays do support subjectAltNames.

>
> It would be interesting to see possible parameters
> for a function that would attempt to implement
> rfc6125. :-)
>
>
> regards
>

Thanks,

Alain
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Rich Salz via RT
On 27/06/11 11:54, Peter Sylvester via RT wrote:

> On 06/26/2011 08:05 PM, Peter Sylvester wrote:
>> On 06/26/2011 02:59 PM, Alain Knaff via RT wrote:
>>> Hello,
>>>
>>> openssl s_client -connect hostname.domain.com:443 does not verify that
>>> the certificate matches the hostname. (i.e. hostname.domain.com should
>>> match either the CN of subject, or in one of the subjectAltNames)
>>>
>>> Without such verification any web site owner who has a certificate can
>>> mount a man-in-the-middle attack against any other web site.
>> verifying a hostname is not part of SSL/TLS layer.
> OTOH It might have been a good idea 10 years ago
> to have a function in openssl to permit hostname
> verification in case of usage for https, one might have
> avoided some strange certificate content.
> But extension support was somewhat weak.

I think it is still a good idea to implement this.

I've tried to use openssl to check certificate installations on our
server. Indeed, it has happened often in the past that we had mixups
with chained certificates. When this happens, the browser does not  flag
the problem, if the chain certificate happens to be in its cache due to
an earlier visit to the same site (when it was still ok), or to another
site which uses the same CA. So, when doing such tests with a browser, I
need to be extra careful to manually remove any chained certificates,
which is cumbersome.

Openssl now looked promising for doing this test, as it doesn't have any
such cache. But unfortunately, it doesn't catch mismatches with server
names :-(

>
> ... there are multiple common names, some clients test the
> last, some the first occurence in the DN.

That's why it is useful to have a reliable test tool.

> Some clients
> totally ignore subjectAltNames. etc.

Most mainstream clients nowadays do support subjectAltNames.

>
> It would be interesting to see possible parameters
> for a function that would attempt to implement
> rfc6125. :-)
>
>
> regards
>

Thanks,

Alain


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]