|
WebApp Sec
mailing list archives
Re: How to perform SSL certificate validation ?
From: Max <Reply.to.list () acme com>
Date: Tue, 11 Jul 2006 16:27:49 +0200
Have a look at this application:
http://www.download.com/Globaltrust-Verification-Engine/3000-2144_4-10529972.html?tag=lst-0-1
M () x
Nagareshwar Talekar wrote:
Hi List,
I am working on implementation of LDAP client where in there is
requirement
to validate the server's ssl certificate. This is similar to what
browser does in case of ssl enabled website. After reading few
articles over net I came to know that following checks needs to be
done for verfication of ssl certificate.
1) Check if certificate is not expired.
2) Common name on the certificate matches the DNS name of the
server.
3) Checks if the CA is trused.
I don't know how to perform the check for 3rd step. How can we ensure
that CA is trusted? One of my colleague told that I have to store all
trusted
root certificates and then compare incoming certificate with existing
ones..
Is there any better way to check this ...?
Also I was told that certificate validation is done to prevent the
SSL-MITM attack
Is this the only reason or is there any other reason for which the
SSL certificate
validation is done ?
It will be great if you can throw some light in this matter. Any
links to relevant
websites will do as well.
Thanks
-------------------------------------------------------------------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
| 
Intro
