Security Basics mailing list archives

RE: How to perform SSL certificate validation ?

From: "Ncssindia" <ncssindia () gmail com>
Date: Thu, 13 Jul 2006 18:48:25 +0530

There is a product called as Microdasys SCIP, for SSL Verification, can
check for self singed certificated, This will come in handy as a great tool
for SSL.


Best Regards, 
Reactor Network and Content Security Solutions

RNCSS Support #1 : rncssindia () gmail com
RNCSS Support #2 : rncsscccp () gmail com

-----Original Message-----
From: Nagareshwar Talekar [mailto:tnagareshwar () gmail com] 
Sent: Monday, July 10, 2006 11:46 PM
To: security-basics () securityfocus com
Subject: How to perform SSL certificate validation ?

Hi List,

I am working on implementation of LDAP client where in there is requirement
to validate the server's ssl certificate. This is similar to what browser
does in case of ssl enabled website. After reading few articles over net  I
came to know that following checks needs to be done for verfication of ssl
certificate.

      1) Check if certificate is not expired.
      2) Common name on the certificate matches the DNS name of the server.
      3) Checks if the CA is trused.

 I don't know how to perform the check for 3rd step. How can we ensure  that
CA is trusted? One of my colleague told that I have to store all trusted
root certificates and then compare incoming certificate with existing ones..

 Is there any better way to check this ...?

 Also I was told that certificate validation is done to prevent the SSL-MITM
attack  Is this the only reason or is there any other reason for which the
SSL certificate  validation is done ?

 It will be great if you can throw some light in this matter. Any links to
relevant  websites will do as well.

 Thanks

--
With Regards
Nagareshwar

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice to
master. We can't teach you to hack. But we can teach you what we've learned
so far. Our courses are honest, real, technical and practical. SensePost
willl be at Black Hat Vegas in July. To see what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------

Current thread:

How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 11)
- RE: How to perform SSL certificate validation ? Ncssindia (Jul 13)
- Re: How to perform SSL certificate validation ? Alexander Klimov (Jul 13)
- <Possible follow-ups>
- RE: How to perform SSL certificate validation ? Robertson, Seth (JSC-IM) (Jul 14)