Re: RFC/Spec for certificate checking

Thu, 03 Jul 2014 13:45:54 -0700 

I may add some backgroup of this inquiry.
the Solaris ldap lib (using NSS as SSL/TLS implementation) performs a reverse-lookup before starting SSL handshake when an IP is specified as target. 

If the reverse-lookup fails then the TCP connection is closed.

IMHO this is an incorrect behavior ...


It seems the client does this because it fears to run into 
'BAD_CERT_DOMAIN' error in case SubjectAltName extensions are not 
correctly set.


Regards,
Bernhard

Am 7/2/14 7:29 PM, schrieb Ryan Sleevi:

On Wed, July 2, 2014 6:09 am, Bernhard Thalmayr wrote:

  Hi experts, is there a specification which NSS follows when performing
  certificate check during the SSL handshake (especially with regards to
  handling SubjectAltName extensions)?

  TIA,
  Bernhard

  P.S. Unfortunately my search in the archive and using Mr. Google did not
  help
  --


Depends on which part of NSS you mean.

Legacy does a somewhat arbitrary, single-path only path building, with the
goal of enforcing RFC 2459-like requirements.
LibPKIX was designed to do unrestricted path building (ala RFC 4158), with
the goal of verifying certificates according to RFC 3280
mozilla::pkix was designed to do unrestricted path building (ala RFC
4158), but with the goal of verifying SSL/TLS certificates according to
RFC 5280.

5280 replaces 3280 replaces 2459.

For verifying names, I'm not sure if mozilla::pkix supports RFC 6125 yet.
I suspect not (there's still issues with trailing periods, IIRC), but
likely something "close to it". For name verification, though, RFC 6125 is
"the" thing to read.




--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

bernhard.thalm...@painstakingminds.com - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr


This e-mail may contain confidential and/or privileged information.If 
you are not the intended recipient (or have received this email in 
error) please notify the sender immediately and delete this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to