cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: [PATCH]add --peer-CN-regex option to the command line tool

From: G�tz Babin-Ebell <babin-ebell_at_trustcenter.de>
Date: Wed, 04 Jun 2003 12:34:38 +0200

Hello Cris,

Cris Bailiff wrote:
> Folks,
>
> On Wed, 4 Jun 2003 08:25 am, Daniel Stenberg wrote:
>
>>On Tue, 3 Jun 2003, Torsten Foertsch wrote:
>>
>>>the patch below adds a "--peer-CN-regex <regular expression>" to the
>>>command line tool and a new "CURLOPT_SSLPEERREGEX" to libcurl.

>>I would guess that a much simpler approach would suffice for most people,
>>using good old and much simpler DOS-style wildcards. Don't you agree?

That seems to be OK.

> If you allow curl to make SSL connections to a CN which doesn't match the URL
> hostname, then you almost might as well just use '--insecure' - the main
> security benefit (of knowing exactly who you are connecting to) is removed.
> Although the connection may be "encrypted", it's still vulnerable to
> man-in-the-middle attacks (OK, maybe not so much on localhost), and
> therefore the encryption also offers little protection. The result is a
> completely false sense that the connection is 'secure' in some way.

But if you disable CN verification,
you loose all security about wich host you connect.

If you can set a host name to check against,
the CN must still match it,
so DNS poisoning and MITM would still be detectable.

example:

you have some hosts
like
www.us.yourcompany.com
www.eu.yourcompany.com
they all have the alias www.yourcompany.com

Now you want to check if they are alive.

you can do a
curl --use-dn www.yourcompany.com https://www.us.yourcompany.com
curl --use-dn www.yourcompany.com https://www.eu.yourcompany.com

(or what ever you call the parameter...)

this way a MITM is not possible, since the DN must be www.yourcompany.com
(we will hope the attacker has no certificate with that CN...)

Bye

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on 2003-06-04

This message: [ Message body ]
Next message: Roth, Kevin P.: "RE: [PATCH]add --peer-CN-regex option to the command line tool"
Previous message: Ralph Mitchell: "Re: [PATCH]add --peer-CN-regex option to the command line tool"
In reply to: Cris Bailiff: "Re: [PATCH]add --peer-CN-regex option to the command line tool"
Next in thread: Torsten Foertsch: "Re: [PATCH]add --peer-CN-regex option to the command line tool"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]