Re: Server Authentication - Openssl

This is a discussion on Re: Server Authentication - Openssl ; As I said you usually can't. For instance Firefox has a database with certificates from many trust anchors ( they pay to be in that database), so when wants to validate a certificate it asks the db about it. If ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Server Authentication

  1. Re: Server Authentication

    As I said you usually can't. For instance Firefox has a database with
    certificates from many trust anchors ( they pay to be in that database),
    so when wants to validate a certificate it asks the db about it. If you have
    an HTTPS server which has a self-signed certificate that isn't in Firefox's
    db, than you will get an error that the certificate could not be validated.

    This is because you cannot access their online ldap's or X.500 stores of
    certificates only if you are their client( i bought a certificate class 4,
    for application signing and they gave me user/pass to their online
    repository). Even then you might have restricted access and if you
    want the CAs self-signed certificate( if CA is Verisign or other root CA )
    that cert you won't find in their repositories.

    I would be interested too to find a way to retrieve online certificates, but I'm afraid
    currently there isn't any. That's why Verisign wants to take over DNS, so that they
    can distribute certs at will - ISPs are too lasy to do that.

    Cheers,
    Eugen.




    ----- Original Message ----
    From: AlokBhatnagar
    To: openssl-users@openssl.org
    Sent: Friday, June 20, 2008 4:49:55 PM
    Subject: Re: Server Authentication


    Hello Sendroiu,

    Thats what i was
    asking....

    How can i get the certificates of CAs
    i turst?

    Regards

    Alok Bhatnagar




    ----- Original Message -----
    From: Sendroiu Eugen
    To: openssl-users@openssl.org
    Sent: Friday, June 20, 2008 7:12 PM
    Subject: Re: Server Authentication

    From what I understand, you need the trust anchors certificate( eg Verisign )
    so that you can check the server's certificate against the probably self-signed
    Verisign certificate. It is supposed that you have already have the certificates of
    CAs you trust.
    If your question is how to find online a specific certificate, the simple answer is that
    you usually can't.



    ----- Original Message ----
    From: AlokBhatnagar
    To: openssl-users@openssl.org
    Sent: Friday, June 20, 2008 4:02:15 PM
    Subject: Re: Server Authentication

    Thanks david,

    I know that the domain name should be same as the common name in server
    certificate which is sent by the server to the client.

    As I know, The SSL client verifies the server's certificate against the CA
    certificate loaded in the client.

    Suppose i trust Verisign CA. So my client must have Verisign CA Certificate
    in order to verify the server's certificate.

    So i want to ask, how will i get the CA certificate or list of CA
    certificates that i trust?

    Thanks

    Regards
    Alok Bhatnagar


    ----- Original Message -----
    From: "David Schwartz"
    To:
    Sent: Friday, June 20, 2008 6:03 PM
    Subject: RE: Server Authentication


    >
    > > So i want to know how will my client authenticate the server
    > > since i don't have the server's root certificate?

    >
    > > Thanks in Advance..

    >
    > > Regards
    > > Alok Bhatnagar

    >
    > That is completely application-dependent. The answer will depend on what
    > makes the legitimate server different from an imposter.
    >
    > Your question is basically, "how can I detect an impostor?". And the

    answer
    > is "as opposed to what?". For example, if the question is, "how can I tell
    > the real amazon.com from an impostor who doesn't control that domain?" the
    > answer is to see if the server presents a certificate with 'amazon.com' in
    > the common name that is signed by a CA you trust.
    >
    > If you don't know what CAs you trust, then you have a problem.
    >
    > DS
    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org




  2. Re: Server Authentication

    I do have to point out, no CA pays Mozilla to be in Firefox's
    database. What the CA pays for is the auditing required to pass
    Mozilla's criteria for inclusion in the database.

    That said, my personal opinion is that the CA model is broken from the
    start, and I am pushing for a way to opt out of Mozilla's root
    certificate distribution without having to individually remove trust
    from every CA in their database.

    -Kyle H

    On Fri, Jun 20, 2008 at 7:16 AM, Sendroiu Eugen wrote:
    > As I said you usually can't. For instance Firefox has a database with
    > certificates from many trust anchors ( they pay to be in that database),
    > so when wants to validate a certificate it asks the db about it. If you have
    > an HTTPS server which has a self-signed certificate that isn't in Firefox's
    > db, than you will get an error that the certificate could not be validated.
    >
    > This is because you cannot access their online ldap's or X.500 stores of
    > certificates only if you are their client( i bought a certificate class 4,
    > for application signing and they gave me user/pass to their online
    > repository). Even then you might have restricted access and if you
    > want the CAs self-signed certificate( if CA is Verisign or other root CA )
    > that cert you won't find in their repositories.
    >
    > I would be interested too to find a way to retrieve online certificates, but
    > I'm afraid
    > currently there isn't any. That's why Verisign wants to take over DNS, so
    > that they
    > can distribute certs at will - ISPs are too lasy to do that.
    >
    > Cheers,
    > Eugen.
    >
    >
    > ----- Original Message ----
    > From: AlokBhatnagar
    > To: openssl-users@openssl.org
    > Sent: Friday, June 20, 2008 4:49:55 PM
    > Subject: Re: Server Authentication
    >
    > Hello Sendroiu,
    >
    > Thats what i was asking....
    >
    > How can i get the certificates of CAs i turst?
    >
    > Regards
    >
    > Alok Bhatnagar
    >
    >
    >
    >
    >
    > ----- Original Message -----
    > From: Sendroiu Eugen
    > To: openssl-users@openssl.org
    > Sent: Friday, June 20, 2008 7:12 PM
    > Subject: Re: Server Authentication
    > From what I understand, you need the trust anchors certificate( eg Verisign
    > )
    > so that you can check the server's certificate against the probably
    > self-signed
    > Verisign certificate. It is supposed that you have already have the
    > certificates of
    > CAs you trust.
    > If your question is how to find online a specific certificate, the simple
    > answer is that
    > you usually can't.
    >
    > ----- Original Message ----
    > From: AlokBhatnagar
    > To: openssl-users@openssl.org
    > Sent: Friday, June 20, 2008 4:02:15 PM
    > Subject: Re: Server Authentication
    >
    > Thanks david,
    >
    > I know that the domain name should be same as the common name in server
    > certificate which is sent by the server to the client.
    >
    > As I know, The SSL client verifies the server's certificate against the CA
    > certificate loaded in the client.
    >
    > Suppose i trust Verisign CA. So my client must have Verisign CA Certificate
    > in order to verify the server's certificate.
    >
    > So i want to ask, how will i get the CA certificate or list of CA
    > certificates that i trust?
    >
    > Thanks
    >
    > Regards
    > Alok Bhatnagar
    >
    >
    > ----- Original Message -----
    > From: "David Schwartz"
    > To:
    > Sent: Friday, June 20, 2008 6:03 PM
    > Subject: RE: Server Authentication
    >
    >
    >>
    >> > So i want to know how will my client authenticate the server
    >> > since i don't have the server's root certificate?

    >>
    >> > Thanks in Advance..

    >>
    >> > Regards
    >> > Alok Bhatnagar

    >>
    >> That is completely application-dependent. The answer will depend on what
    >> makes the legitimate server different from an imposter.
    >>
    >> Your question is basically, "how can I detect an impostor?". And the

    > answer
    >> is "as opposed to what?". For example, if the question is, "how can I tell
    >> the real amazon.com from an impostor who doesn't control that domain?" the
    >> answer is to see if the server presents a certificate with 'amazon.com' in
    >> the common name that is signed by a CA you trust.
    >>
    >> If you don't know what CAs you trust, then you have a problem.
    >>
    >> DS
    >>
    >>
    >> __________________________________________________ ____________________
    >> OpenSSL Project http://www.openssl.org
    >> User Support Mailing List openssl-users@openssl.org
    >> Automated List Manager majordomo@openssl.org
    >>
    >>

    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread