SSL: Verify certificate chain, but not peer host name

Permalink: HTTP NNTP

Posted Tue, 17 Jun 2014 23:53:56 GMT

Reply

Hi,

The title says it all – I'm using SSL streams, and want to verify that the peer certificate is trusted (has a valid certificate chain to a trusted root CA), but don't want to check the host name/address against the X.509 info.

This is handy if you just want to (mis)use client certificates to both authenticate and securely tunnel RPC calls, but you don't actually care about the client host name (it might not even have one) and/or IP address.

Is this possible using the new – and otherwise of course much improved from my half-baked attempt! – certificate validation interface?

Best,
David

Re: SSL: Verify certificate chain, but not peer host name

Permalink: HTTP NNTP

Sönke Ludwig

Posted Wed, 18 Jun 2014 09:56:46 +0200 in reply to David Nadlinger

Reply

Am 18.06.2014 01:53, schrieb David Nadlinger:

Hi,

The title says it all – I'm using SSL streams, and want to verify that the peer certificate is trusted (has a valid certificate chain to a trusted root CA), but don't want to check the host name/address against the X.509 info.

This is handy if you just want to (mis)use client certificates to both authenticate and securely tunnel RPC calls, but you don't actually care about the client host name (it might not even have one) and/or IP address.

Is this possible using the new – and otherwise of course much improved from my half-baked attempt! – certificate validation interface?

Best,
David

I think it's still too half-baked, actually :)

Currently SSLPeerValidationMode is unfortunately just a list of
increasing validation levels, but validating the peer name is currently
always part of the whole validation (if any). A bit field would have
been the better choice here obviously - I'll try to invent some new
names for individual options and keep the existing enum values as
composite flags.

Extending SSLPeerValidationData with some more useful data is also
something that still needs to be done.

Re: SSL: Verify certificate chain, but not peer host name

Permalink: HTTP NNTP

Sönke Ludwig

Posted Wed, 18 Jun 2014 08:28:34 GMT in reply to Sönke Ludwig

Reply

On Wed, 18 Jun 2014 09:56:46 +0200, Sönke Ludwig wrote:

Am 18.06.2014 01:53, schrieb David Nadlinger:

Hi,

The title says it all – I'm using SSL streams, and want to verify that
the peer certificate is trusted (has a valid certificate chain to a
trusted root CA), but don't want to check the host name/address
against the X.509 info.

This is handy if you just want to (mis)use client certificates to both
authenticate and securely tunnel RPC calls, but you don't actually
care about the client host name (it might not even have one) and/or IP
address.

Is this possible using the new – and otherwise of course much improved
from my half-baked attempt! – certificate validation interface?

Best,
David

I think it's still too half-baked, actually :)

Currently SSLPeerValidationMode is unfortunately just a list of
increasing validation levels, but validating the peer name is currently
always part of the whole validation (if any). A bit field would have
been the better choice here obviously - I'll try to invent some new
names for individual options and keep the existing enum values as
composite flags.

Implemented: 86ef76e

Re: SSL: Verify certificate chain, but not peer host name

Permalink: HTTP NNTP

David Nadlinger

Posted Wed, 18 Jun 2014 18:23:20 GMT in reply to Sönke Ludwig

Reply

On Wed, 18 Jun 2014 08:28:34 GMT, Sönke Ludwig wrote:

Implemented: 86ef76e

Wow, thanks for the quick response.

By the way, the vibe-news frontend seems to render all newlines as
in the post display.

Cheers,
David