SSL and Certificate Matching

From: mkb <mkb125_at_yahoo.com>
Date: Mon, 14 Jul 2008 12:25:34 -0700 (PDT)
Message-ID: <498059.56652.qm@web58014.mail.re3.yahoo.com>

BACKGROUND

I have setup SSL on my servers and I am using streams to communicate over SSL. So each server has a client and server certificate. This environment has been setup on Oracle 10gR2 and RedHat Linux AS 4U2.

The client and server certificates are stored in separate Oracle wallets, one for the client and one for the server.

For testing the SSL connection, I created a user as follows:

alter user user1 identified externally as 'CN=acme, OU=acme, O=acme, L=NY, ST=NY, C=US';

I then use a simple Java program to connect to the database using the above user. I am able to connect and have no issues there.

I've set SSL_CLIENT_AUTHENTICATION = TRUE in both the sqlnet.ora and listener.ora so that the server authenticates the client.

QUESTION

I'm trying to figure out if certificate matching takes place between client and server during the connection phase. I tracked down the following document: http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asoappb.htm#i635129 and in section B.3.4.1 SSL X.509 Server Match Parameters it seems to indicate that SSL_SERVER_DN_MATCH does not take place unless you explicitly set the parameter in the sqlnet.log file.

Anyway, even if you set this parameter to TRUE and force DN matching, what's there from preventing someone constructing another certificate from a trusted issuer with the same DN and connecting to the database? Is there a way I can create the user as above (with a DN) but also with another attribute from within the certificate such as certificate thumbprint or serial number?

I logged a TAR but I don't seem to be getting through to the support dude on the other end. Perhaps I haven't explained it well enough but if anyone has some insight on this, I would sure appreciate it.

Oh BTW, I'll update you all on the TAR once I get a clear answer back from support as well.

--

mohammed

--

http://www.freelists.org/webpage/oracle-l Received on Mon Jul 14 2008 - 14:25:34 CDT

This message: [ Message body ]
Next message: Christian Antognini: "Re: OC4J Bind Variables: Positional Notation"
Previous message: David Barbour: "Re: EM2GO or Grid Control on a Blackberry"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message