[stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs

Tristan Schmelcher tristan_schmelcher at alumni.uwaterloo.ca
Tue Jun 1 20:46:36 CEST 2010


On Tue, Jun 1, 2010 at 10:22 AM, Tristan Schmelcher <
tristan_schmelcher at alumni.uwaterloo.ca> wrote:

>
>
> On Tue, Jun 1, 2010 at 12:28 AM, Magnus Therning <
> magnus+stunnel at therning.org <magnus%2Bstunnel at therning.org>> wrote:
>
>> On Mon, May 31, 2010 at 22:50, Tristan Schmelcher
>> <tristan_schmelcher at alumni.uwaterloo.ca> wrote:
>> [...]
>> > stunnel-4.33-dns-commonname-verify-support.patch:
>> >
>> > I saved the best for last. ;) This adds a "verify_dns" option to check
>> > the CommonName in peer certificates against their DNS name when
>> > verifying, much as web browsers do.
>> >
>> > I have seen posts from users asking for this feature in the past, so I
>> > think it's value is self-evident.
>>
>> I do like the use of a configuration option to turn on hostname
>> verification.  And as you say there have been requests for this
>> feature in the past, but there have also been posts of patches
>> implementing it in the past (e.g.
>> http://stunnel.mirt.net/pipermail/stunnel-users/2010-March/002613.html
>> by me, but sans the option bit :-).
>
>
> For some reason your patch didn't turn up when I was searching for this
> feature before.
>
> My thinking is that having an option for it makes a big difference.
>
>
>> I do have some questions though:
>>
>> 1. If I read this patch correctly it only checks CN, is that correct?
>>
>
> Correct.
>
>
>> 2. Is there any particular reason for not including SAN in the
>> verification as well?
>>
>
> I confess that I have never heard of anything called SAN in the context of
> SSL/TLS, and I can't find anything about it online. Do you have a link?
>
>

Oh, you mean SubjectAltName. I didn't implement that simply because the
certificates that I deal with do not have DNS names for their
SubjectAltName. I suppose it makes sense to do it, but it doesn't really add
any security because the SubjectAltName check passes if-and-only-if it's
equal to the CN and the CN check passes ... so it only fails if the
certificate is nonsense.


>  3. Are the patches released under GPL?
>>
>
> No, I released them into the public domain since Michel requires that for
> any patches that are to be incorporated into mainline stunnel.
>
>
>>
>> /M
>>
>> --
>> Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
>> magnus@therning.org          Jabber: magnus@therning.org
>> http://therning.org/magnus         identi.ca|twitter: magthe
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100601/57673ed0/attachment.html>


More information about the stunnel-users mailing list