1. You can open a cert and look at the DN at will, and do whatever you
want with the results; you do this in your application after SSL has
accepted the connection.

2. For authentication SSL uses the methods that are specified in the
certificate, for X.509 this is commonly MD5 or SHA-1 for the digest and
RSA, DH or DSS for the signature. There are several possibilities, but
SSL handles all this by itself, it really should not concern you at the
level above SSL.

3. SSL itself has no mechanism for relaying error messages over the
protocol; this is done by design to reduce the amount of helpful
information that may be provided to a cracker. When something goes wrong
at either end, the connection is just dropped.

4. Each server and client implementation has its own set of exceptions
and applicable policies. There is nothing in the SSL or X.509 spec that
says anything about making sure that a server's DN matches the host
name; that is done in your application after SSL has connected.

- Mark West
- Quid quid Latine dictum sit, altum viditur
(Whatever is said in Latin sounds important).
 

-----Original Message-----
From: Scott, Richard [mailto:Richard.ScottBestBuy.com]
Sent: Wednesday, May 29, 2002 10:26 PM
To: 'Gregory Steuck'; Scott, Richard; webappsecsecurityfocus.com
Subject: RE: Certificates, SSL and servers

<snip>
Let me try to rephrase what you wrote in my terms and then answer. If
my interpretation is incorrect, my answer is irrelevant.

So your application running on Server B authenticates incoming SSL
connection by client certificate they supply. The authenticity of the
certificate information is guaranteed by the CA signature. Then parts
of the DN can be used for trusted and used for whatever purposes you
wish. Since you mention servlets I deduce you are talking about Java.

Is my recoup is correct so far?
<!snip>

Correct! You have it spot on.

<snip>
In such a case yes it is possible to
do what I described above. In fact, I just did it by implementing both
client and server portions doing mutual SSL authentication with
certificates issued by a local CA (honestly, just self signed
certificates imported into the trusted keystores of both apps).

Note, that I didn't really use servlets, so I didn't have to figure
out how to configure any particular servlet container/HTTP listener to
use my keystore. I also had the privilege of direct access to
SSLSocket thus I could obtain the corresponding X509 certificates and
retrieve their DNs.

<!snip>

I was hoping to use the Certificate as an authenticator for the specific
machine and maybe have have some certs allowed to execute interface 1 in
a
Servlet and other certs only access interface 2.

To do this I was hoping to use the DN of the CERT, which could be set to
the
machine name and have the authenitcator server (the one recieving the
request from the client) use LDAP to query if the DN has access to the
interface or not. That way, numerous certs have access to the Servlet,
but
only some have access to some functionality and maybe only one machine
has
access to all the functionality.

Can I use the DN or some other entity label ina cert to do this?

Secondly, reading the RFC's, I can;t figure out the method Certs use for
authentication. More so, is it SSL that generates the errors messages
like
verify the domain name of a cert os the same as the server it was sent,
or
is this x509 functionality. All I can find is that x509 certs build the
trust if and only if the signed CA is trusted.
If this is part of the x509 standard where is this documented?

Thanks for all the replies.

cheers
r.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]