[Box Backup] Question about certificates

Baltasar Cevc boxbackup@fluffy.co.uk
Fri, 3 Aug 2007 14:27:20 +0200


Hi Chris, hi Nuno,

On Thu, 2 Aug 2007 19:50:07 +0100 (BST)
Chris Wilson <chris@qwirx.com> wrote:

> > It's not secure? Why not? A client can only pretend to be a server
> > with the name BACKUP-X where X is the client number. If another
> > client would connect to server1.domain.com and a client would only
> > have a certificate with the common name of BACKUP-X and not
> > server1.domain.com.
> 
> I'm not 100% sure, but I don't think the client verifies the CN of
> the server certificate at all, except that it was signed by the
> expected CA. So it doesn't matter that the server has a "name" of
> BACKUP-1 or anything else, as long as it was signed by the ServerCA,
> which in your case would be the same as the ClientCA.

I'm positive it _does not_ verify the name (as you write). We've
often used the name of the NAT machine instead of the internal name
(which was the CN of the certificate) and it did work perfectly.

Baltasar