WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How to perform SSL certificate validation ?

From: "Dominick Baier" <otherlists () leastprivilege com>
Date: Mon, 10 Jul 2006 23:46:31 +0200
Which technology are you using - 

.NET 2.0 features the X509Chain class which does the heavy lifting - but
yeah - Windows hold a list of all trusted CAs - and a check for a trusted CA
compares the issuer with that list.

Another check you are missing is against CRLs (certificate revocation lists)
- you find the loction of the CRL in the CRL distribution point property of
the cert (usually an url or ldap address).

dominick
www.leastprivilege.com


-----Original Message-----
From: Nagareshwar Talekar [mailto:tnagareshwar () gmail com] 
Sent: Montag, 10. Juli 2006 17:59
To: security-basics () securityfocus com; webappsec () securityfocus com;
crypto () securityfocus com
Cc: tnagareshwar () gmail com
Subject: How to perform SSL certificate validation ?

Hi List,

I am working on implementation of LDAP client where in there is requirement
to validate the server's ssl certificate. This is similar to what browser
does in case of ssl enabled website. After reading few articles over net  I
came to know that following checks needs to be done for verfication of ssl
certificate.

       1) Check if certificate is not expired.
       2) Common name on the certificate matches the DNS name of the server.
       3) Checks if the CA is trused.

  I don't know how to perform the check for 3rd step. How can we ensure
  that CA is trusted? One of my colleague told that I have to store all
trusted
  root certificates and then compare incoming certificate with existing
ones..

  Is there any better way to check this ...?

  Also I was told that certificate validation is done to prevent the
SSL-MITM attack
  Is this the only reason or is there any other reason for which the SSL
certificate
  validation is done ?

 It will be great if you can throw some light in this matter. Any links to
relevant  websites will do as well.

 Thanks

--
With Regards
Nagareshwar

-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's "Web
Application Security: Automated Scanning or Manual Penetration Testing?"
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated scanning
tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: