use*_*574 9 openssl ssl-certificate x509certificate2
我们决定是否应将"localhost"(以及类似"127.0.0.1"之类的地址)添加为证书中的主题备用名称之一.一个好处可能是促进本地测试.但是会有任何缺点吗?
在主题备用名称中添加localhost是一个好主意(或不好)?
这取决于您遵循的标准和您的安全状况.
首先要做的事情(下面的讨论).必须定义完全限定的域名(FQDN).该定义取自W. Richard Steven的TCP/IP插图第I卷:协议(p.189):
以句点结尾的域名称为绝对域名或完全限定的域名.如果域名未在句点中结束,则假定需要完成名称.名称的完成方式取决于所使用的DNS软件.
这意味着我们可以localhost通过附加句点来更改为完全限定的域名:
localhost.
这是一个小实验:
$ hostname
debian-q500
$ hostname --fqdn
debian-q500
$ dnsdomainname
$
$ ping debian-q500.
ping: unknown host debian-q500.
$ ping debian-q500.local
PING debian-q500.local (172.16.1.26) 56(84) bytes of data.
64 bytes from debian-q500.home.pvt (172.16.1.26): icmp_req=1 ttl=64 time=0.040 ms
64 bytes from debian-q500.home.pvt (172.16.1.26): icmp_req=2 ttl=64 time=0.035 ms
...
$ ping localhost.
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.033 ms
64 bytes from localhost (127.0.0.1): icmp_req=2 ttl=64 time=0.037 ms
...
$ ping localhost.local
ping: unknown host localhost.local
$ ping localhost.localdomain
ping: unknown host localhost.localdomain
接下来是标准.其中最受欢迎的是CA广告浏览器发布的指南.CA广告浏览器在CA/B论坛上发布其操作指南.他们感兴趣的两个指南是:
还有另一种流行的,但它通常会推迟证书中列出的主机中的CA/B指南.该标准是IETF的RFC 5280:
RFC 5280将调出其他项目,例如如何验证证书链以及如何在subjectAltName中列出电子邮件地址.
基线指南
基线指南有关于名称的说法:
9.2.1 Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each
entry MUST be either a dNSName containing the Fully-Qualified
Domain Name or an iPAddress containing the IP address of a
server. The CA MUST confirm that the Applicant controls the
Fully-Qualified Domain Name or IP address or has been granted
the right to use it by the Domain Name Registrant or IP address
assignee, as appropriate.
Wildcard FQDNs are permitted.
...
和
9.2.2 Subject Common Name Field
Certificate Field: subject:commonName (OID 2.5.4.3)
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single IP address or
Fully-Qualified Domain Name that is one of the values contained in
the Certificate’s subjectAltName extension (see Section 9.2.1).
最后,
11.1.3 Wildcard Domain Validation
Before issuing a certificate with a wildcard character (*) in a
CN or subjectAltName of type DNS-ID, the CA MUST establish and
follow a documented procedure† that determines if the wildcard
character occurs in the first label position to the left of a
“registry-controlled” label or “public suffix” (e.g. “*.com”,
“*.co.uk”, see RFC 6454 Section 8.2 for further explanation).
If a wildcard would fall within the label immediately to the left
of a registry-controlled† or public suffix, CAs MUST refuse
issuance unless the applicant proves its rightful control of the
entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or
“*.local”, but MAY issue “*.example.com” to Example Co.).
所以,localhost只要它是一个完全合格的域名是罚款.事实上,localhost甚至没有在指南中提到过.
扩展验证
9.2.2 Subject Alternative Name Extension
Certificate field: subjectAltName:dNSName
Required/Optional: Required
Contents: This extension MUST contain one or more host Domain
Name(s) owned or controlled by the Subject and to be associated
with the Subject’s server. Such server MAY be owned and operated
by the Subject or another entity (e.g., a hosting service).
Wildcard certificates are not allowed for EV Certificates.
9.2.3 Subject Common Name Field
Certificate field: subject:commonName (OID: 2.5.4.3)
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single Domain
Name(s) owned or controlled by the Subject and to be associated
with the Subject’s server. Such server MAY be owned and operated
by the Subject or another entity (e.g., a hosting service).
Wildcard certificates are not allowed for EV Certificates.
所以,localhost只要它是一个完全合格的域名是罚款.事实上,localhost甚至没有在指南中提到过.
Microsoft鼓励KB315588中的实践,如何:使用客户端证书保护ASP.NET应用程序:
littleblackbox是嵌入式设备的私有SSL/TLS和SSH密钥的数据库.它附带一个SQlite3数据库bin/.
证书是PEM格式(即-----BEGIN CERTIFICATE-----和朋友).您可以转储所有证书:
$ sqlite3 lbb.db
SQLite version 3.8.3 2013-12-17 16:32:56
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .mode line
sqlite> .out certificates.txt
sqlite> SELECT certificate FROM certificates;
sqlite> .q
接下来,certificate =从文件中删除:
$ sed -e "s|certificate = ||g" certificates.txt > temp.txt
$ mv temp.txt certificates.txt
现在使用nawk和openssl解码每个证书:
nawk '
v{v=v"\n"$0}
/----BEGIN/ {v=$0}
/----END/&&v{
print v > "tmp.cert"
close("tmp.cert")
system("openssl x509 -in tmp.cert -inform PEM -text -noout")
v=x}' certificates.txt
如果我们了解他们,坏人肯定知道他们.
最后,它的安全态势.综上所述,这就是为什么这是一个坏主意.这就是安全态势的来源.来自Peter Gutmann的工程安全(第45页):
In practice CAs seem to issue certificates under more or less any
name to pretty much anybody, ranging from small-scale issues like
users buying certificates for the wonderfully open-ended mail [237]
through to the six thousand sites that commercial CAs like Comodo,
Cybertrust, Digicert, Entrust, Equifax, GlobalSign, GoDaddy,
Microsoft, Starfield and Verisign have certified for localhost,
with no apparent limit on how many times a CA will issue a
certificate for the same name [238].
这里的问题是,"它是我的本地主机,还是你的本地主机".因此,它不是一个发布证书和信任你localhost的问题 - 更多的是无意中信任外国人的问题localhost.
一旦您的软件(例如浏览器)信任颁发的证书localhost,其游戏结束.
| 归档时间: |
|
| 查看次数: |
6000 次 |
| 最近记录: |