WebApp Sec mailing list archives
RE: Client script access to server cert info
From: "Maupin, Tony" <Tony.Maupin () integris-health com>
Date: Mon, 14 Apr 2003 08:55:05 -0500
What you're looking for is called a "certificate parsing module". Do a search on that term and/or add open source to the search depending on what you're looking for. It will do everything you are asking and more. Tony Maupin -----Original Message----- From: Brass, Phil (ISS Atlanta) [mailto:PBrass () iss net] Sent: Sunday, April 13, 2003 11:21 PM To: webappsec () securityfocus com Subject: RE: Client script access to server cert info To clarify, what I'm looking for is a way for script on a page to access the server certificate information used during the SSL connection over which the page was provided. I.e. if Alice requests a page from bob.com, but the bob.com server returns a certificate that actually says mallory.com, and Alice presses "OK" when prompted about the discrepancy, it would be nice if there was a way to detect this using script that ran in the browser. I'm trying to find out if anybody knows of any browser/DOM/DHTML objects that contain a description (signing chain, CN, fingerprint, whatever) of the actual server certificate information presented during the SSL handshake. Phil
-----Original Message----- From: Brass, Phil (ISS Atlanta) Sent: Sunday, April 13, 2003 11:51 PM To: webappsec () securityfocus com Subject: Client script access to server cert info Does anybody know if there is a way to access the server certificate information in client-side script in a web browser? Thanks! Phil
Current thread:
- Client script access to server cert info Brass, Phil (ISS Atlanta) (Apr 13)
- <Possible follow-ups>
- RE: Client script access to server cert info Brass, Phil (ISS Atlanta) (Apr 13)
- RE: Client script access to server cert info Dawes, Rogan (ZA - Johannesburg) (Apr 14)
- RE: Client script access to server cert info Maupin, Tony (Apr 14)
- Re: Client script access to server cert info Jon Pastore (Apr 16)
- RE: Client script access to server cert info Dawes, Rogan (ZA - Johannesburg) (Apr 16)
- Re: Client script access to server cert info n30 (Apr 16)
- RE: Client script access to server cert info Jimi Thompson (Apr 16)