[ale] SSL Certs for $14.95

Michael H. Warfield mhw at WittsEnd.com
Wed Apr 5 23:15:45 EDT 2006


On Wed, 2006-04-05 at 18:34 -0400, Christopher Fowler wrote:
> On Wed, 2006-04-05 at 18:03 -0400, Michael H. Warfield wrote:
> >         What would you use for the DN (Distinguished Name)?  That's
> > what gets
> > compared to the DNS name in the SSL connection certificate check.  If
> > that DN doesn't match the host name at the time of lookup, you get an
> > error.  If you don't have a host name, what is going to be your basis
> > of
> > comparison?

> Here is another case of where my situation is unique.  Our embedded
> devices support SSL and you can place a certificate on them.  However
> they may not have a hostname and may have many ip addresses.

	Oh shit...  A bad feeling of Deja Vu is coming on...  Ok...  "you CAN
place a certificate on them".  What if you don't?  What does it use?

	Does each of these embedded devices have its own unique certificate or
are you generating a common certificate that you burn into the firmware.
If the later, "Danger, Will Robinson, Danger"!  Do NOT under ANY
circumstances use a shared certificate!  Unless you want to make
headlines on FullDisclosure, BugTraq, or an ISS security advisory.  Some
WiFi AP vendors have already fallen into that trap and discovered that
anyone with a copy of their firmware can then decrypt all the SSL
traffic to and from any of those AP's.  It was not a pretty picture.

> We have 2 servers in a data center that only have IP addresses and no
> host names.  To give them a host name we would have to take ownership of
> our domain records from Earthlink and assign them ourself.  So if a
> device has many ip addresses it may not be possible to do a reverse
> lookup on an ip address.

	The reverse IP has nothing to do with it.  It's strictly a forward
lookup.  If "www.wittsend.com" resolves to 130.205.32.64 and you get a
cert with a DN of "www.wittsend.com" then you are done (assuming you
know the CA or you accept the cert manually).  It does NOT do a reverse
lookup on 130.205.32.64 to see if it has a reverse pointer to
www.wittsend.com.  That's way beyond the validation.

> In the end I can't assign host names that can be looked up in DNS to
> every device including those I own.

	You can assign IP addresses to names (A and AAAA records) and that will
work.  You don't need to assign names to addresses (PTR records).  The
reverse DNS does not come into play here at all and the two (forward and
reverse) are actually orthogonal to each other (even though they should
agree, nothing requires it).

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list