[stunnel-users] Three patches
magnus+stunnel at therning.org
Fri Jun 4 09:04:50 CEST 2010
On 01/06/10 15:09, Michal Trojnara wrote:
>Tristan Schmelcher wrote:
>> I saved the best for last. ;) This adds a "verify_dns" option to check the
>> CommonName in peer certificates against their DNS name when verifying, much
>> as web browsers do.
>> I have seen posts from users asking for this feature in the past, so I
>> think it's value is self-evident.
> The basic purpose of SSL/TLS is to prevent network-level attacks. Many
> years ago I refused to implement this option as it's inherently vulnerable
> to DNS spoofing and cache poisoning. I think my point stands even more
> nowadays with DNS cache poisoning attacks getting more and more popular.
> Also stunnel, unlike web browsers, connects a predefined (static) list of
> servers. It's much more secure to just download their certificates and
> check them with "verify = 3".
> I think I could add a Windows GUI option to download and save remote
> certificates. What do you think?
These were roughly the reasons for my implementing the verification for our
- "verify=2" only does crypto checks (what's built into OpenSSL). This
isn't what our customers expect and when they find out they bother me with
questions ;-) We're also certifying our product, and this very item came
up there too.
- Our product is (somewhat of) an appliance with our control software
joining several of them together with a single master and many slaves.
To offer only "verify=3" we'd need to get every server's cert out to every
other server which would require adding a significant chunk of code to the
Given the above and the time constraints it was deemed to be a good middle
ground to implement hostname (or IP) verification in stunnel.
My ToDo-list still contains an item to make it possible to choose between
verify=2 (with hostname verification) and verify=3.
Magnus Therning (OpenPGP: 0xAB4DFBA4)
magnus＠therning．org Jabber: magnus＠therning．org
http://therning.org/magnus identi.ca|twitter: magthe
More information about the stunnel-users