Re: backport of socat

To: Peter Palfrader <weasel@debian.org>, gcs@debian.org
Cc: debian-backports@lists.debian.org
Subject: Re: backport of socat
From: micah <micah@debian.org>
Date: Thu, 04 Feb 2016 12:58:10 -0500
Message-id: <[🔎] 87twloici5.fsf@muck.riseup.net>
In-reply-to: <[🔎] 20160204072918.GS6841@anguilla.noreply.org>
References: <[🔎] 20160204072918.GS6841@anguilla.noreply.org>

Peter Palfrader <weasel@debian.org> writes:

> The feature I want is that socat now actually checks the server's
> name against the certificate it presents when using openssl-connect.
> (Something that stunnel4 still doesn't do.)

Maybe I misunderstand what you want, but you should be verifying the
signature, not that the CN field of the cert matches what the server
name is.... otherwise that is vulnerable to DNS poisoning or other
falsehoods. Also, where does the "server's name" come from?

If you dont verify the certificate is valid, and you just want to verify
that the server name matches the CN, then if I'm doing a MiTM I just
need to make sure my fake certificate uses the correct host name, and
then I win because you don't verify the certificate. Perhaps you want to
verify the signature, as well as the CN? This isn't a requirement of
SSL/TLS, and as a result isn't in openssl, as far as I can tell

micah

Reply to:

Follow-Ups:
- Re: backport of socat
  - From: Peter Palfrader <weasel@debian.org>

References:
- backport of socat
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: backport of socat
Next by Date: Re: backport of socat
Previous by thread: Re: backport of socat
Next by thread: Re: backport of socat
Index(es):
- Date
- Thread