Hey out there to whoever is reading.
I have a question and it is regarding a UNI question which I can't seem to find the answer when researching so I thought i'd come to the experts of the web.
The question I'm asked is:
3. For which type of SSL certificate do you need a dedicated IP address?
I understand if asking for help with uni is against terms and conditions as I know some websites don't allow it. (But no harm in trying yeah?)
Thankyou to anyone who helps
For which type of SSL certificate do you need a dedicated IP address?
The context of the question is unknown and it is unknown what "type" of SSL certificate actually means in this unknown context. This could be domain validated vs. extended validated or it cold be X.509v1 vs X.509v3 or even other things. But, I'll try to explain the underlying concepts so that you should hopefully be able to come up with an answer yourself.
Validation of the certificate includes checking the target hostname (from the URL in case of HTTPS) against the subjects of the certificate. These subjects can be given as subject alternative names and/or as common name. Commonly none of these subjects has an IP address which means that commonly no fixed IP address is needed for a server using this certificate - all what is needed is that the server is actually reachable by the given hostname (i.e. DNS is properly setup) and that the client is using this hostname to connect to the server (instead of using the IP address only).
But it is possible to also include IP addresses as subject of the certificate. This is uncommon and no public CA (as found as trust anchor in the browser) will issue such a certificate any longer but private CA might do it. The validation is similar to the hostname, i.e. the client has to use the IP address in the URL to access the site and check that the IP address used matches any of the IP addresses given as subject in the certificate. Having a fixed IP will help in this case but actually the only requirement is that the IP address the client uses is included as any of the possible many subjects in the certificate. This means that the server might actually be reachable by different IP addresses as long as all of these are included as subject in the certificate.
Related
I am quite new to ssl stuffs but I am afraid I can guess the final answer of the following problem/question:
We are building hardware (let's call them servers) that WILL have IP address modifications along there lifetime. Each Server must be reachable in a secured manner. We are planning to use a TLS 1.3 secured connection to perform some actions on the servers (update firmware, change configuration and so on). As a consequence we need to provide the server's with one certificate (each) so that they can state their identity. PKI issue is out of the scope of this question (we suppose) and we can take for granted that the clients and the servers will share a common trusted CA to ensure the SSL handshake goes ok. The server's will serve http connection on there configured (changeable) IP addresses only. There is no DNS involved on the loop.
We are wondering how to set the servers' certificates appropriately.
As IP will change, it cannot be used as the common name in the server's certificate.
Therefore, we are considering using something more persistent such as a serial number or a MAC address.
The problem is, as there is no DNS in the loop, the client can not issue http request to www.serialNumberOfServer.com and must connect to http://x.y.z.t (which will change frequently (at least frequently enough so that we don't issue a new server's certificate at each time))
If we get it right, ssl handshake requires to have the hostname (that's in the URL we are connecting to) matching either the commonName of the server's Certificate or one of its Subject's Alternative Name (SAN). Right? Here, it would be x.y.z.t.
So we think we are stucked in a situation in which the server cannot use it's IP to prove its identity and the client wants to use it exclusively to connect to the server.
Is there any work around?
Are we missing something?
Any help would be very (VERY) appreciated. Do not hesitated in cas you should need more detailed explanation!
For what it's worth, the development environment will be Qt using the QNetworkAccessManager/QSSlstuffs framework.
If you're not having the client use DNS at all, then you do have a problem. The right solution is to use DNS or static hostname lists (/etc/hosts, eg, on unix* or hosts.txt on windows eg.). That will let you set names appropriately.
If you can only use IP addresses, another option is to put all of your IP addresses into the certificate that the server might use. This is only doable if you have a reasonable small number of addresses that they might get assigned to.
Or you could keep a cache of certificates on the server with one address for each, and have part of the webserver start process to select the right certificate. Requires a bit more complex startup.
Edit: Finally, some SSL stacks (e.g. openssl) let you decide whether or not each particular verification error should be accepted as an error or that it can be ignored. This would let you override the errors on the client side. However, this is hard to implement properly and very prone to security issues if you don't bind the remote certificate properly it means you're subjecting yourself to man-in-the-middle or other attacks by blindly accepting any old certificate. I don't remember if Qt's SSL library gives you this level of flexibility or not (I don't believe so but didn't go pull up the documentation).
Went back on the subject 9 mont later!
Turns out there is an easy solution (at least with Qt framework)
Qt's QNetworkRequest::setPeerVerifyName does the job for us. It allows to connect to an host using its IP and verify a given CN during SSL handshake
See Qt's documentation extract below:
void QNetworkRequest::setPeerVerifyName(const QString &peerName)
Sets peerName as host name for the certificate validation, instead of the one used for the TCP connection.
This function was introduced in Qt 5.13.
See also peerVerifyName.
Just tested it positively right now
Good Afternoon,
I wanted to ask this question regarding SSL certificates. Our company manages several servers. For example:
location1.domain.com
location2.domain.com
location3.domain.com
Each of the links goes to a different server with different IP as it pertains to connecting to the system from the outside world. And at each location, there are browsers that connect to each server on the local network to the same network.
For example:
192.168.2.130
The server is an apache2 running ubuntu server 14. In addition, in all the tutorials that I have looked at, one needs to know the IP address of the machine. With many of these locations, the IP address often changes. They have dynamic IPs. What I was wondering is what kind of SSL certificate do I need? I thought about the wildcard certificate but did know if it was an overkill. I also would like for the location users within each location to not see the error message that comes from not having a correctly signed SSL certificate. Thanks in advance.
George
Unless the number of location is constantly changing, you don't need a wildcard certificate. Just get one per location. Certificates should always be assigned to a name, not ip, so how the request is routed doesn't really matter.
If the internal users actually connect via IPs, rather than names, that's something you need to fix, because you have to bind the certificate to a stable name. If you want the internal users to skip the global routing, you can use something like split-horizon dns for it. (basically you serve your local users different dns answers than the ones you publish to the internet)
I am developing an https-based web server on my machine. This currently works with a self-signed certificate. Of course, my browsers complain about it, but it is okay for me to skip this check and accept my very own certificate.
Now I would like a co-worker to be able to access my https server as well. My machine does neither have an internal host name setup nor a static IP address.
Of course, if I create a certificate for localhost, it will not work for him - as localhost for him is his machine, not mine.
How can I solve this issue?
Is the only way to assign a static IP address or to setup a host name? Is it possible to get a certificate that matches any IP and / or hostname?
(Please note that I know that this is quite counterintuitive to what certificates are meant for, and I highly doubt that you will find someone trust-worthy who issues a certificate for anything, but I still have hope ;-). At the moment, we do not need it for authentication, just for testing. We would replace it with a valid certificate later on.)
You can issue a certificate to multiple Subject Alternative Names (e.g. localhost, machine001.local and 192.168.0.15). Note that, for IP addresses, the SAN must be of type IP address. Most tools that let you do this will let you specify the type (XCA is one of them for example).
I'm not sure how your co-worker can access your machine if it doesn't have either an internal host name or a static IP address. Perhaps you could use something like mDNS to give it a .local name anyway. Alternatively, you can use dynamic DNS services. They would also work even if they resolve the DNS to an IP address that is only routed on your LAN.
Ideally (since you don't want to use a commercial CA), you should create a CA (again, XCA can help) and distribute your CA certificate to your co-workers. In this case you wouldn't even have to add exceptions.
Having a certificate that matches any IP address or hostname wouldn't work. You normally can't have wildcards with IP addresses, and most browsers require more than one "label". Some implementations even make sure you have enough to fall within the scope of an actual domain (e.g. *.something.com or *.something.co.uk).
(Some browsers would let you add exceptions that also comprise the name mismatch (Firefox is one of them), so in this case, the names are not particularly relevant.)
I generated a self signed certificate on IIS 7.5. It got generated against the machine name. At present I am testing my website over the IP address. On accessing it on Chrome over https I get a message, "You attempted to reach IP Address, but instead you actually reached a server identifying itself as Machine Name".
How can I ensure that the certificate can honor both the Machine Name and the IP address?
If in case both cannot be honored, how can I make it honor the IP address only?
You should create a certificate with multiple Subject Alternative Names. What you put in the CN at that stage doesn't really matter (it's only a fallback solution when there are no SANs), but putting the host name should help you identify the certificate in various lists.
Note that the entries for host names should be of dNSName type, but the entries for the IP address should be of iPAddress type, so you need a certificate creation tool that supports both. There are more details in this question (not specific to Java).
Note that IP addresses can be OK in a development context, but host names are often better anyway. Few (if any) CAs will issue you with a certificate tied to an IP address.
Do not advice to return true from the validation callback. It's a bad practice. Because of I don't know the best practice of a cerfificate validation I want to rely on the default implementation, but I quite don't understand what name of a server certificate should be specified if the client tries to connect to "https://192.168.0.64/Company/ServiceReference.svc/MainService"?
If your server is being accessed by IP address, then you'd need a certificate that is issued by a trusted certification authority, is not yet expired and is named to match your IP address. In your case, it appears this would be 192.168.0.64. Generally speaking though, it's preferable to use a host or DNS name as you may not be able to control whether the IP address of your server changes. If the IP were to change, your certificate would then be invalid because the name would no longer match.