[ntp:hackers] Using multiple SSL certs - Was: Why...

tglassey tglassey at glassey.com
Tue Jun 9 17:39:19 UTC 2009


Olaf Fraczyk wrote:
>> or the pain caused by improperly using a single ssl certificate for both 
>> entitlement and authentication at the networking level.
>>     
> Of course, there are many possible scenarios. I assumed implicite, that
> we are talking about certificates used for WWW site authentication and
> session encryption, as it were these certificates that were mentioned in
> earlier posts. Something you use when you host www.mybank.com.
> Please try to read the thread from beginning and you will see that it
> causes almost physical pain :) If we start digging into details (eg.
> that it is perfectly OK to produce a certificate for IP number or
> anything else - although not for use I described in 1st paragraph) the
> thread will never end ;)
> The basic point is ,that there are applications (very common and well
> known) where you need 1 IP per 1 SSL site. So it is perfectly OK to have
> a host with 1000 IPs - and it was the problem where the whole discussion
> started :)
>   
Olaf
OK so on a perimeter machine its pretty easy to set up a second or third 
or forth set of IP's which DNS will resolve or even better place those 
new names in the local /etc/hosts file and set NAME RESOLUTION to use 
the FILES option first (/etc/nsswitch.conf in most instances).

I for instance regularly create a set of names which are not resolvable 
publicly but have multiple certificates for their operations which 
resolve to local addresses. This way its simple to have multiple certs 
which point to the same physical address but belong to different use 
classes. The routing configuration is the key win here and yes this is 
yet another reason why NTP should not be only available as an appliance 
but one which uses the underlying firewall and policy controls of the 
Host OS to properly allow or deny connections rather than the NTP Daemon 
itself making those decisions.

Todd
> Regards,
>
> Olaf
>   
>> Todd Glassey
>>     
>>> Best regards,
>>>
>>> Olaf
>>>   
>>> ------------------------------------------------------------------------
>>>
>>>
>>> No virus found in this incoming message.
>>> Checked by AVG - www.avg.com 
>>> Version: 8.5.339 / Virus Database: 270.12.56/2161 - Release Date: 06/07/09 17:53:00
>>>
>>>   
>>>       
>>     
>> ------------------------------------------------------------------------
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com 
>> Version: 8.5.339 / Virus Database: 270.12.58/2164 - Release Date: 06/08/09 17:59:00
>>
>>     



More information about the hackers mailing list