[stunnel-users] Common Name checking
mbolton at boltz.co.uk
Tue Jul 14 13:21:26 CEST 2009
I believe this has been discussed before on the list but I wanted to
get a better understanding and confirm the current situation.
Is it still correct that when using verify=2, the peer's hostname is
not checked (via a name service lookup) to match the Common Name in
the presented certificate? With the main reason being that you cannot
necessarily trust the name service?
I am asking because we have a closed network in which we do trust our
dns servers, and Common Name checking would be advantageous to us
given the following scenario:
We have is that a single (central) host that connects to multiple
'client' hosts via stunnel. The central host presents a certificate
signed by our own CA. Each client has a copy of our CA's certificate
and has verify=2. So when the central server connects, the client
checks that the certificate presented has really been signed by our
own CA. So using this mechanism, only servers (i.e. the central
server) with a signed certificate are allowed to connect.
All good so far, however the problem is if the signed certificate is
copied (stolen) to another server. This 'other' server can connect to
all the clients also. With Common Name checking, the clients could as
well as checking the signature, check the presenting host has the same
hostname as in the certificate.
Is there anyway we can use stunnel to help us guard against this
'stolen cert' situation or if not what else could we do?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the stunnel-users