Opened 10 years ago
Common Name in SSL/TLS certificates is not checked against the server name connected to
|Reported by:||Holger Böhnke||Owned by:|
|Keywords:||checkt tls common name||Cc:|
|Component version:||Operating system type:|
|Operating system version:|
When connecting to a site using FTPS (SSL/TLS) the common name of the certificate is not checked against the server name. Although a warning is displayed that the certificate is untrusted it is not explicitly stated that the server named mismatches the CN.
This could be easily overlooked by unexperienced users.
Steps to reproduce:
config server A: serverA.domain.com (explicit TLS)
Setup an FTP Server serverA.domain.com presenting a certificate with a common name of "someotherserver.domain.com"
Connect to server A, a warning is displayed that the certificate is not trusted. The fact that "serverA.domain.com" and "someotherserver.domain.com" do not match is not explicitly stated.
As this is a strong indication of malicious activity, the user should be warned about it in an urgent manner.