Re: IMAP OpenSSL and Virtual Host Environments?
From: Christian Schulte (crippendsl@gmx.net)Date: 04/26/02
- Next message: Paul Harrold: "Re: Virus protection, security questions"
- Previous message: Alun Jones: "Re: [OT] Is "Authentification" a Real Word?"
- Next in thread: Vic Abell: "Re: IMAP OpenSSL and Virtual Host Environments?"
- Reply: Vic Abell: "Re: IMAP OpenSSL and Virtual Host Environments?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Christian Schulte <crippendsl@gmx.net> Date: Fri, 26 Apr 2002 19:13:13 +0200 To: Vic Abell <abe@cc.purdue.edu>
Hi! I read this posting from you in comp.mail.imap:
Vic Abell wrote:
> A single X509v3 certificate can hold multiple host names in the
> dNSName types of its subjectAltName extension. There may be multiple
> dNSName types and their values may contain wildcards.
>
> Here's an example (edited for obscurity) from an X509v3 certificate
> used to identify an OpenLDAP server:
>
> X509v3 Subject Alternative Name:
> email:xxx@yyy.ddd, DNS:production_host_name.yyy.ddd, \
> DNS:alternate_production_host_name.yyy.ddd
>
> RFC 2818, the HTTPS Over TLS specification, says this about the
> requirements for client endpoint identification:
>
> If a subjectAltName extension of type dNSName is present, that
> MUST be used as the identity. Otherwise, the (most specific)
> Common Name field in the Subject field of the certificate MUST
> be used. Although the use of the Common Name is existing practice,
> it is deprecated and Certification Authorities are encouraged
> to use the dNSName instead.
>
> Matching is performed using the matching rules specified by
> [RFC2459]. If more than one identity of a given type is present
> in the certificate (e.g., more than one dNSName name, a match
> in any one of the set is considered acceptable.) Names may
> contain the wildcard character * which is considered to match
> any single domain name component or component fragment. E.g.,
> *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches
> foo.com but not bar.com. first before the DN is checked.
>
> There are two problems:
>
> 1. You have to find clients that are TLS compliant when they do
> endpoint checking. (Hint: think open source.)
>
> 2. You have to acquire a certificate with multiple dNSName types.
> Eric Rescorla, author of RFC 2818 and the most useful book "SSL
> and TLS, Designing and Building Secure Systems" notes, "Currently,
> no major CA issues certificates of this type but it is hoped
> that in the future they will do so." (I'm cynical -- what CA
> would sell one certificate with N host names in it when they
> could sell N certificates?)
>
> If a self-signed certificate is acceptable, open source
> certificate generators will create them with multiple dNSName
> types in the subjectAltName extension.
>
> Vic Abell
Now the question:
I actually cannot find out how to create such certificates with OpenSSL!
Is there a way to do it with OpenSSL 0.9.6c ? How can I do it otherwise
? The only thing I found in openssl is the alias switch but certificates
created with aliases are not understood by cyrus imapd nor by sendmail.
Thanks for your time
- Next message: Paul Harrold: "Re: Virus protection, security questions"
- Previous message: Alun Jones: "Re: [OT] Is "Authentification" a Real Word?"
- Next in thread: Vic Abell: "Re: IMAP OpenSSL and Virtual Host Environments?"
- Reply: Vic Abell: "Re: IMAP OpenSSL and Virtual Host Environments?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
