[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How to turn of SSL Hostname check?

This question is coming up fairly frequently now due to the stricter checking
in the client library.

Let me expand on Kurt's reply, for the record - DON'T DO THIS. Before I go
into details, let me puff a bit - I've been breaking, creating, and deploying
security systems since the mid-80's. I worked with Wietse Venema on the first
version of the TCP wrappers over a decade ago, which are now a standard
component of most Unix systems today. I've worked with OpenSSL since way back
when it was version 0.66 (SSLeay). I've contributed bug fixes for Kerberos,
DCE, SASL, S/Key, Tripwire, TIS, just about every security tool that's come
along, as well as created several implementations of my own. I know a thing
or two about network security.

Security experts don't come cheap. I'm going to tell you something now for
free that might otherwise cost you hundreds in consulting fees, or
god-only-knows in attack recovery costs:

Anyone who has the ability to eavesdrop on your network also has the ability
to inject packets onto your network. If you think you want to use SSL to
encrypt your data because you want to protect it from eavesdroppers, but you
don't care about certificate verification or hostname checks, then you might
as well leave everything in plaintext because anybody capable of
eavesdropping is also capable of spoofing addresses, hijacking connections,
and interposing their own rogue server into your data stream. If you bypass
the certificate verification and hostname checks, you have rendered the use
of SSL completely pointless. The cert check and hostname check protect you
from rogue servers.

So if you really think you want to turn these checks off, you might as well
save your CPU cycles and turn off SSL completely, because it isn't doing you
one bit of good. On the other hand, if you really want to protect the
integrity of your network communications, you need to do it right and set up
your certificates properly. You can't get "partial security," you can't do
things half way. Do it right or don't bother.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga

> At 09:54 AM 2002-11-12, spangla@nationwide.com wrote:
> >How do you turn off SSL Hostname checking?
> As security of TLS (SSL) relies on host name checking,
> no option is provided to disable host name checking.
> If you really want to disable it, you can always
> hack the code.
> Kurt