Server certificate hash checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2015-01-02 at 21:37 +0000, David Woodhouse wrote:
> On Fri, 2015-01-02 at 23:16 +0200, Nikos Mavrogiannopoulos wrote:
> > On Fri, 2015-01-02 at 09:40 +0000, David Woodhouse wrote:
> > 
> > > > The latter is probably difficult, but printing the hash and key IDs is
> > > > probably a good idea. I'll check it.
> > > Well, if the luci https service is using the *same* cert as ocserv then
> > > presumably it's already been accepted.
> > 
> > No it is not. I don't think it is a good idea to mix keys for different
> > services.
> Hm, is there a way for an X.509 certificate to specify which
> ports/services it's valid for? We only actually validate the *hostname*,
> because I thought that's all there was.

There is the key purpose X.509 extension. It is typically set to "TLS
WWW server". I'd expect different services to use a different key
purpose, although that's not so common.

regards,
Nikos





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux