On Thu, Mar 04, 2021 at 02:59:47PM -0500, Keith Moore wrote:
> > TLS without DNS name checks and/or without any hierarchical PKI
> > is directly supported by OpenSSL.
>
> Yes I know. But people need web browsers that can do this. And there's
> still a need to thwart active attacks in such environments.
>
> IOW it's not only TLS and X.509 that are needed, but a stack (including
> browser) that can use these without needing DNS or external connectivity.
Since unlike various sorts of industrial equipment, ... browsers
presumably run on a mainstream OS (BSD, Linux, MacOS, Windows, ...), you
can always MiTM the browser with "stunnel" or fancier proxy, making all
connections to names that resolve to "127.0.0.1", and the proxy making
a connection to a downstream server based on the SNI name.
The proxy can authenticate the target servers via some appropriate
mechanism, but present SNI-based certs acceptable to the browser.
https://www.envoyproxy.io/docs/envoy/latest/intro/intro
--
Viktor.
