[ntp:hackers] Using multiple SSL certs - Was: Why...
tglassey
tglassey at glassey.com
Tue Jun 9 17:39:19 UTC 2009
Olaf Fraczyk wrote:
>> or the pain caused by improperly using a single ssl certificate for both
>> entitlement and authentication at the networking level.
>>
> Of course, there are many possible scenarios. I assumed implicite, that
> we are talking about certificates used for WWW site authentication and
> session encryption, as it were these certificates that were mentioned in
> earlier posts. Something you use when you host www.mybank.com.
> Please try to read the thread from beginning and you will see that it
> causes almost physical pain :) If we start digging into details (eg.
> that it is perfectly OK to produce a certificate for IP number or
> anything else - although not for use I described in 1st paragraph) the
> thread will never end ;)
> The basic point is ,that there are applications (very common and well
> known) where you need 1 IP per 1 SSL site. So it is perfectly OK to have
> a host with 1000 IPs - and it was the problem where the whole discussion
> started :)
>
Olaf
OK so on a perimeter machine its pretty easy to set up a second or third
or forth set of IP's which DNS will resolve or even better place those
new names in the local /etc/hosts file and set NAME RESOLUTION to use
the FILES option first (/etc/nsswitch.conf in most instances).
I for instance regularly create a set of names which are not resolvable
publicly but have multiple certificates for their operations which
resolve to local addresses. This way its simple to have multiple certs
which point to the same physical address but belong to different use
classes. The routing configuration is the key win here and yes this is
yet another reason why NTP should not be only available as an appliance
but one which uses the underlying firewall and policy controls of the
Host OS to properly allow or deny connections rather than the NTP Daemon
itself making those decisions.
Todd
> Regards,
>
> Olaf
>
>> Todd Glassey
>>
>>> Best regards,
>>>
>>> Olaf
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> No virus found in this incoming message.
>>> Checked by AVG - www.avg.com
>>> Version: 8.5.339 / Virus Database: 270.12.56/2161 - Release Date: 06/07/09 17:53:00
>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com
>> Version: 8.5.339 / Virus Database: 270.12.58/2164 - Release Date: 06/08/09 17:59:00
>>
>>
More information about the hackers
mailing list