我们正在决定是否应将“localhost”(以及类似“127.0.0.1”之类的地址)添加为证书中的主题备用名称之一。一个好处可能是促进本地测试。但是会有任何缺点吗?
答案 0 :(得分:7)
在主题备用名称中添加localhost是一个好主意(或不好)吗?
这取决于您遵循的标准和您的安全状况。
首先要做的事情(下面的讨论)。必须定义完全限定的域名(FQDN)。该定义取自W. Richard Steven的TCP/IP Illustrated Volume I: The Protocols(第189页):
以句点结尾的域名称为绝对域名或完全限定域名。如果域名未在句点中结束,则假定需要完成名称。名称的完成方式取决于所使用的DNS软件。
这意味着我们可以通过附加句点来将localhost更改为完全限定的域名:
localhost.
这是一个小实验:
$ hostname
debian-q500
$ hostname --fqdn
debian-q500
$ dnsdomainname
$
$ ping debian-q500.
ping: unknown host debian-q500.
$ ping debian-q500.local
PING debian-q500.local (172.16.1.26) 56(84) bytes of data.
64 bytes from debian-q500.home.pvt (172.16.1.26): icmp_req=1 ttl=64 time=0.040 ms
64 bytes from debian-q500.home.pvt (172.16.1.26): icmp_req=2 ttl=64 time=0.035 ms
...
$ ping localhost.
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.033 ms
64 bytes from localhost (127.0.0.1): icmp_req=2 ttl=64 time=0.037 ms
...
$ ping localhost.local
ping: unknown host localhost.local
$ ping localhost.localdomain
ping: unknown host localhost.localdomain
接下来是标准。其中最受欢迎的是CA广告浏览器发布的指南。 CA广告浏览器在CA / B论坛上发布其操作指南。他们感兴趣的两个指南是:
还有另一个受欢迎的版本,但它通常会推迟证书中列出的主机中的CA / B指南。该标准是IETF的RFC 5280:
RFC 5280将调出其他项目,例如如何验证证书链以及如何在subjectAltName中列出电子邮件地址。
基线指南
基线指南有关于名称的说法:
9.2.1 Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each
entry MUST be either a dNSName containing the Fully-Qualified
Domain Name or an iPAddress containing the IP address of a
server. The CA MUST confirm that the Applicant controls the
Fully-Qualified Domain Name or IP address or has been granted
the right to use it by the Domain Name Registrant or IP address
assignee, as appropriate.
Wildcard FQDNs are permitted.
...
和
9.2.2 Subject Common Name Field
Certificate Field: subject:commonName (OID 2.5.4.3)
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single IP address or
Fully-Qualified Domain Name that is one of the values contained in
the Certificate’s subjectAltName extension (see Section 9.2.1).
最后,
11.1.3 Wildcard Domain Validation
Before issuing a certificate with a wildcard character (*) in a
CN or subjectAltName of type DNS-ID, the CA MUST establish and
follow a documented procedure† that determines if the wildcard
character occurs in the first label position to the left of a
“registry-controlled” label or “public suffix” (e.g. “*.com”,
“*.co.uk”, see RFC 6454 Section 8.2 for further explanation).
If a wildcard would fall within the label immediately to the left
of a registry-controlled† or public suffix, CAs MUST refuse
issuance unless the applicant proves its rightful control of the
entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or
“*.local”, but MAY issue “*.example.com” to Example Co.).
所以localhost只要是完全合格的域名就可以了。事实上,localhost甚至没有在指南中提及。
扩展验证
9.2.2 Subject Alternative Name Extension
Certificate field: subjectAltName:dNSName
Required/Optional: Required
Contents: This extension MUST contain one or more host Domain
Name(s) owned or controlled by the Subject and to be associated
with the Subject’s server. Such server MAY be owned and operated
by the Subject or another entity (e.g., a hosting service).
Wildcard certificates are not allowed for EV Certificates.
9.2.3 Subject Common Name Field
Certificate field: subject:commonName (OID: 2.5.4.3)
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single Domain
Name(s) owned or controlled by the Subject and to be associated
with the Subject’s server. Such server MAY be owned and operated
by the Subject or another entity (e.g., a hosting service).
Wildcard certificates are not allowed for EV Certificates.
所以localhost只要是完全合格的域名就可以了。事实上,localhost甚至没有在指南中提及。
Microsoft鼓励KB315588中的练习,HOW TO: Secure an ASP.NET Application Using Client-Side Certificates:
littleblackbox是嵌入式设备的私有SSL / TLS和SSH密钥的数据库。它在bin/中附带了一个SQlite3数据库。
证书采用PEM格式(即-----BEGIN CERTIFICATE-----和朋友)。您可以使用以下命令转储所有证书:
$ sqlite3 lbb.db
SQLite version 3.8.3 2013-12-17 16:32:56
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .mode line
sqlite> .out certificates.txt
sqlite> SELECT certificate FROM certificates;
sqlite> .q
接下来,从文件中删除certificate =:
$ sed -e "s|certificate = ||g" certificates.txt > temp.txt
$ mv temp.txt certificates.txt
现在使用nawk和openssl解码每个证书:
nawk '
v{v=v"\n"$0}
/----BEGIN/ {v=$0}
/----END/&&v{
print v > "tmp.cert"
close("tmp.cert")
system("openssl x509 -in tmp.cert -inform PEM -text -noout")
v=x}' certificates.txt
如果我们了解他们,坏人肯定知道他们。
最后,它的安全态势。综上所述,这就是为什么这是一个坏主意。这就是安全态势的来源。来自Peter Gutmann的Engineering Security(第45页):
In practice CAs seem to issue certificates under more or less any
name to pretty much anybody, ranging from small-scale issues like
users buying certificates for the wonderfully open-ended mail [237]
through to the six thousand sites that commercial CAs like Comodo,
Cybertrust, Digicert, Entrust, Equifax, GlobalSign, GoDaddy,
Microsoft, Starfield and Verisign have certified for localhost,
with no apparent limit on how many times a CA will issue a
certificate for the same name [238].
这里的问题是,“它是我的本地主机,还是你的本地主机”。因此,它不是一个为您的localhost发出证书和信任的问题 - 更多的是无意中信任外国localhost的问题。
一旦您的软件(例如浏览器)信任颁发给localhost的证书,其游戏结束。