[openssl-users] Has client validated successfully?
openssl at jordan.maileater.net
Wed Feb 21 18:06:48 UTC 2018
On 2/20/2018 9:34 AM, J Decker wrote:
> Client does a verification and passes or fails, and via the SSL layer
> I can query if the client validated the certificate.
> If it failed, provide a option for the client to get a renewed
> certificate for verification. If success, no action.
> If an actor lies in this scenario he answers
> lies *yes* and didn't, don't give him a means to actually verify. *noop*
> lies *no* but did, then give him the root cert he already has.... *noop*
Er... so I have my malicious MITM server serve up a certificate that the
client won't accept, and then helpfully provide it with my root
certificate so that it won't have any trouble talking to me?
There's a reason for the client to verify the server's certificate. If
the client can't verify the server's certificate, then there's no reason
to believe that it's the right server and can be trusted.
Any certificate updates have to be protected by the previous
certificate. If you've let the certificate lapse then you need some
kind of out-of-band verification.
Jordan Brown, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users