我们正在决定是否将“localhost”(以及类似“127.0.0.1”这样的地址)添加为证书中的另一种主题备用名称。其中一个好处可能是促进本地测试。但是会有什么不利影响吗?
1个回答
17
“在Subject Alternative Name中添加localhost是一个好主意(还是坏主意)?”这要看你遵循的标准和安全策略而定。
这是一个小实验:
下面是标准。其中最受欢迎的是由CAs和浏览器发布的指南。CAs和浏览器在CA/B论坛上发布其操作指南。感兴趣的两个指南是: 还有一个流行的标准,但它通常推迟CA/B指南中列出的主机的证书。这个标准是来自IETF的RFC 5280: RFC 5280将调用其他内容,例如如何验证证书链以及如何在subjectAltName中列出电子邮件地址。
基线指南对名称有以下说明:
所以只要是完全合格的域名,
接下来,从文件中删除
现在使用
这里的问题是,“这是我的本地主机,还是你的本地主机”。因此,这不是为你的
首先(针对以下讨论),必须定义一个完全限定域名(FQDN)。该定义来自W. Richard Stevens的《TCP/IP Illustrated Volume I: The Protocols》(第189页):
以句点结尾的域名称为绝对域名或完全限定域名。如果域名不以句点结尾,则假定需要完成名称。如何完成名称取决于使用的DNS软件。
这意味着我们可以通过添加句点将localhost更改为完全限定域名:
localhost.
这是一个小实验:
$ hostname
debian-q500
$ hostname --fqdn
debian-q500
$ dnsdomainname
$
$ ping debian-q500.
ping: unknown host debian-q500.
$ ping debian-q500.local
PING debian-q500.local (172.16.1.26) 56(84) bytes of data.
64 bytes from debian-q500.home.pvt (172.16.1.26): icmp_req=1 ttl=64 time=0.040 ms
64 bytes from debian-q500.home.pvt (172.16.1.26): icmp_req=2 ttl=64 time=0.035 ms
...
$ ping localhost.
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.033 ms
64 bytes from localhost (127.0.0.1): icmp_req=2 ttl=64 time=0.037 ms
...
$ ping localhost.local
ping: unknown host localhost.local
$ ping localhost.localdomain
ping: unknown host localhost.localdomain
下面是标准。其中最受欢迎的是由CAs和浏览器发布的指南。CAs和浏览器在CA/B论坛上发布其操作指南。感兴趣的两个指南是: 还有一个流行的标准,但它通常推迟CA/B指南中列出的主机的证书。这个标准是来自IETF的RFC 5280: RFC 5280将调用其他内容,例如如何验证证书链以及如何在subjectAltName中列出电子邮件地址。
基线指南对名称有以下说明:
9.2.1 Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each
entry MUST be either a dNSName containing the Fully-Qualified
Domain Name or an iPAddress containing the IP address of a
server. The CA MUST confirm that the Applicant controls the
Fully-Qualified Domain Name or IP address or has been granted
the right to use it by the Domain Name Registrant or IP address
assignee, as appropriate.
Wildcard FQDNs are permitted.
...
和
9.2.2 Subject Common Name Field
Certificate Field: subject:commonName (OID 2.5.4.3)
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single IP address or
Fully-Qualified Domain Name that is one of the values contained in
the Certificate’s subjectAltName extension (see Section 9.2.1).
最后,
11.1.3 Wildcard Domain Validation
Before issuing a certificate with a wildcard character (*) in a
CN or subjectAltName of type DNS-ID, the CA MUST establish and
follow a documented procedure† that determines if the wildcard
character occurs in the first label position to the left of a
“registry-controlled” label or “public suffix” (e.g. “*.com”,
“*.co.uk”, see RFC 6454 Section 8.2 for further explanation).
If a wildcard would fall within the label immediately to the left
of a registry-controlled† or public suffix, CAs MUST refuse
issuance unless the applicant proves its rightful control of the
entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or
“*.local”, but MAY issue “*.example.com” to Example Co.).
所以只要是完全合格的域名,
localhost就可以使用。实际上,在指南中甚至没有提到localhost。
扩展验证
9.2.2 Subject Alternative Name Extension
Certificate field: subjectAltName:dNSName
Required/Optional: Required
Contents: This extension MUST contain one or more host Domain
Name(s) owned or controlled by the Subject and to be associated
with the Subject’s server. Such server MAY be owned and operated
by the Subject or another entity (e.g., a hosting service).
Wildcard certificates are not allowed for EV Certificates.
9.2.3 Subject Common Name Field
Certificate field: subject:commonName (OID: 2.5.4.3)
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single Domain
Name(s) owned or controlled by the Subject and to be associated
with the Subject’s server. Such server MAY be owned and operated
by the Subject or another entity (e.g., a hosting service).
Wildcard certificates are not allowed for EV Certificates.
只要是完全合格的域名,localhost就可以使用。实际上,在指南中甚至没有提到localhost。
微软在KB315588中鼓励使用如何:使用客户端证书保护ASP.NET应用程序的实践:
- 在“您网站的通用名称”页面上,输入localhost,然后单击“下一步”。
littleblackbox是一个针对嵌入式设备的私有SSL/TLS和SSH密钥数据库。它带有一个SQLite3数据库在bin/目录下。
证书采用PEM格式(即-----BEGIN CERTIFICATE-----等)。您可以使用以下命令转储所有证书:
$ sqlite3 lbb.db
SQLite version 3.8.3 2013-12-17 16:32:56
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .mode line
sqlite> .out certificates.txt
sqlite> SELECT certificate FROM certificates;
sqlite> .q
接下来,从文件中删除
certificate =。$ sed -e "s|certificate = ||g" certificates.txt > temp.txt
$ mv temp.txt certificates.txt
现在使用
nawk和openssl解码每个证书:nawk '
v{v=v"\n"$0}
/----BEGIN/ {v=$0}
/----END/&&v{
print v > "tmp.cert"
close("tmp.cert")
system("openssl x509 -in tmp.cert -inform PEM -text -noout")
v=x}' certificates.txt
如果我们知道这些,坏人肯定也知道。
最后,它的安全性。在上面所说的一切之后,这就是为什么这是一个坏主意的原因。这就是安全姿态的作用。根据Peter Gutmann的《工程安全》(第45页):
In practice CAs seem to issue certificates under more or less any
name to pretty much anybody, ranging from small-scale issues like
users buying certificates for the wonderfully open-ended mail [237]
through to the six thousand sites that commercial CAs like Comodo,
Cybertrust, Digicert, Entrust, Equifax, GlobalSign, GoDaddy,
Microsoft, Starfield and Verisign have certified for localhost,
with no apparent limit on how many times a CA will issue a
certificate for the same name [238].
这里的问题是,“这是我的本地主机,还是你的本地主机”。因此,这不是为你的
localhost发放证书并信任它的问题,而是无意中信任外部localhost的问题。一旦你的软件(例如浏览器)信任发给localhost的证书,那么就结束了。- jww
网页内容由stack overflow 提供, 点击上面的可以查看英文原文,
原文链接
原文链接