Security Basics mailing list archives
RE: How to perform SSL certificate validation ?
From: "Robertson, Seth (JSC-IM)" <Seth.Robertson-1 () nasa gov>
Date: Thu, 13 Jul 2006 14:19:04 -0500
Your application must build a certificate chain, collecting the issuing CA certificate for all CAs up to a trusted root. For externally issued certificates (ones not issued by your own CA), this is done by downloading the certificate from the Authority Information Access (AIA) URL found in the certificate itself. Each certificate in the chain is validated. The validity of each certificate can be determined based on a variety of tests (must have all standard X.509 fields, must fit a format for a specific version, critical extensions, specific OIDs, revocation check, root check, DNS check, signature check, and time validity check). For SSL, the root check, DNS check, time validity, and revocation check are standard. The root check of external certificates is perfomred by checking whether the chain (for example, from the web server, to an issuing CA, to another, to the root CA) connects to a trusted root (which is one either installed by default in IE or Mozilla or one you manually choose to import into the store to trust). Basically if you're talking about validating third-party web servers on the Internet, rely on the Versign, Thawte etc. commercial CA root certificates in your store by default (you don't need to add a root CA). If these are internal web servers issued certificates by an internal private CA, then you'll need to install the root CA's certificate. The revocation check occurs by checking the Certificate Revocation List found at the URL stored in the certificate to make sure the once-valid certificate you've been presented wasn't revoked since it's issuance (because of a key compromise, CA compromise, superseding, decommission of the server, or a temporary hold). As far as being for MiTM prevention only, certificates are used for many services: * Digital signatures: for client authentication and data-origin validation * Non-repudiation: proving a signer DID sign a package * Key encipherment: The public keys (assymmetric encryption) can be used for symmetric key exchange. * Data encipherment: The public key itself can be used to encrypt data, but this never happens because it's so inefficient. * Key Agreement: The public key can be used for key transport (like in Diffie-Hellman) * Signature verfication: The public key can be used to verify a certificate or CRL's signature. PKI is used to help provide confidentiality, data-integrity, AND authentication. I'm sure there is a tool to perform certificate validation in the method you need, but I don't know of one and it would depend on your platform (Windows?, Linux/UNIX?). For Windows, look into: * CertUtil (a utility in the Server 2003 Admin Pack). For example, "certutil -verify -urlfetch example.cer" verifies the certificate chain of example.cer, printing output for every URL in every certificate in the chain. It prints out when a URL is validated, can't be reached, and prints a summary of errors at the end. I'm sure you need something simpler than that though, and I believe it's usually used by PKI administrators to check on the health of their own MS CS PKI. * CAPIMON: "CryptoAPI Monitor (CAPIMON) allows an administrator to monitor an application's CryptoAPI calls and the results." http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4 441-9D4C-0CAB35D49A01&displaylang=en * Generally speaking, the CryptoAPI This book has a bit of information about certificate services in general, but is primarily geared toward installing your own CA using MS Certificate Services: "MS Windows Server 2003 PKI and Certifcate Security". Seth Robertson -----Original Message----- From: Ncssindia [mailto:ncssindia () gmail com] Sent: Thursday, July 13, 2006 8:18 AM To: 'Nagareshwar Talekar'; security-basics () securityfocus com Subject: RE: How to perform SSL certificate validation ? There is a product called as Microdasys SCIP, for SSL Verification, can check for self singed certificated, This will come in handy as a great tool for SSL. Best Regards, Reactor Network and Content Security Solutions RNCSS Support #1 : rncssindia () gmail com RNCSS Support #2 : rncsscccp () gmail com -----Original Message----- From: Nagareshwar Talekar [mailto:tnagareshwar () gmail com] Sent: Monday, July 10, 2006 11:46 PM To: security-basics () securityfocus com Subject: How to perform SSL certificate validation ? Hi List, I am working on implementation of LDAP client where in there is requirement to validate the server's ssl certificate. This is similar to what browser does in case of ssl enabled website. After reading few articles over net I came to know that following checks needs to be done for verfication of ssl certificate. 1) Check if certificate is not expired. 2) Common name on the certificate matches the DNS name of the server. 3) Checks if the CA is trused. I don't know how to perform the check for 3rd step. How can we ensure that CA is trusted? One of my colleague told that I have to store all trusted root certificates and then compare incoming certificate with existing ones.. Is there any better way to check this ...? Also I was told that certificate validation is done to prevent the SSL-MITM attack Is this the only reason or is there any other reason for which the SSL certificate validation is done ? It will be great if you can throw some light in this matter. Any links to relevant websites will do as well. Thanks -- With Regards Nagareshwar ------------------------------------------------------------------------ --- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ---------------------------------------------------------------------------
Current thread:
- How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 11)
- RE: How to perform SSL certificate validation ? Ncssindia (Jul 13)
- Re: How to perform SSL certificate validation ? Alexander Klimov (Jul 13)
- <Possible follow-ups>
- RE: How to perform SSL certificate validation ? Robertson, Seth (JSC-IM) (Jul 14)