Re: Has client validated successfully?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/20/2018 9:34 AM, J Decker wrote:
Client does a verification and passes or fails, and via the SSL layer I can query if the client validated the certificate.
If it failed, provide a option for the client to get a renewed certificate for verification.  If success, no action.
If an actor lies in this scenario he answers
lies *yes* and didn't, don't give him a means to actually verify. *noop*
lies *no* but did, then give him the root cert he already has.... *noop*

Er... so I have my malicious MITM server serve up a certificate that the client won't accept, and then helpfully provide it with my root certificate so that it won't have any trouble talking to me?

There's a reason for the client to verify the server's certificate.  If the client can't verify the server's certificate, then there's no reason to believe that it's the right server and can be trusted.

Any certificate updates have to be protected by the previous certificate.  If you've let the certificate lapse then you need some kind of out-of-band verification.

-- 
Jordan Brown, Oracle Solaris
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux