[stunnel-users] CN field of server cert
Michal.Trojnara at mirt.net
Sun May 15 00:24:11 CEST 2005
(where is the traditional Polish politeness...)
On Saturday 14 of May 2005 22:50, spambox at poczta.onet.pl wrote:
> client = yes
> verify = 2
> CAfile = ThawteServerCA.txt
> accept = 127.0.0.1:60465
> connect = smtp.gmail.com:465
I don't think it's a good idea. You probably don't really *trust*
all companies that have a certificate signed by Thawte.
It's much better to have verify=3 and the exact certificate used
by the server as the CAfile parameter.
> I don't know how to enforce stunnel to verify CN field from server provided
What you need is cryptographic authentication.
CN verification is vulnerable to DNS poisoning.
> So, am I wrong that when someone hijack (mitm) this connection and provide
> any server cert signed by ThawteServerCA then I loose? Please add this
> verification to stunnel when verify is set to 2 or better as an separate
> option "verify_cn?" which could be used in service-level context.
No. I'm not going to give users a false sense of security.
> Usting this option with that described below I can drop 'verify' and
> 'CAfile' at all and feel much better. :)
No. You should download the peer certificate and verify it with verify=3.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the stunnel-users