Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-04-2007, 12:07 PM
VinceV VinceV is offline
Registered User
 
Join Date: Jan 2007
Posts: 10
SSL Certificate Details

Is there any way to view the details of the server's SSL certificate when using Telnet/SSL? I've looked through all the menus and couldn't find anything.

-Vince
Reply With Quote
  #2  
Old 01-04-2007, 06:29 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,039
It's not currently possible to view the server's SSL certificate, but I've added a request to our database for this ability. We will post a follow up message here if this feature is added. If you would like to receive e-mail notification, please send us a message through the feature request form and refer to forum thread #2079.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #3  
Old 01-11-2007, 05:19 PM
mekanik mekanik is offline
Registered User
 
Join Date: Jul 2005
Posts: 46
Quote:
Originally Posted by miked
It's not currently possible to view the server's SSL certificate, but I've added a request to our database for this ability. We will post a follow up message here if this feature is added. If you would like to receive e-mail notification, please send us a message through the feature request form and refer to forum thread #2079.
I requested this a while back (June 2006) through Maureen, and said that I would like to see output similar to using something like how "openssl s_client -connect forums.vandyke.com:443" displays the certificate exchange.

--
mekanik
Reply With Quote
  #4  
Old 01-11-2007, 07:21 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,039
Thanks mekanik. I have cross referenced the two requests in our database because they seem like very complimentary requests.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #5  
Old 01-12-2007, 09:24 AM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,039
Vince and mekanik,

Are you wanting to see the certificate info during authentication, or at any time whether currently authenticating or not?

The implication of wanting to see it at any time is that we would need to save the certificate. If only wanting to view it during authentication, perhaps we could display without saving.

Thank you!
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #6  
Old 01-12-2007, 05:25 PM
VinceV VinceV is offline
Registered User
 
Join Date: Jan 2007
Posts: 10
Quote:
Originally Posted by miked
Are you wanting to see the certificate info during authentication, or at any time whether currently authenticating or not?
I would like to see this information presented similarly to how it is in a web browser:

1. Upon connection to a host, verify the certificate. I think SecureCRT already does this, but it doesn't look like it checks if hostnames match.

2. Have a lock icon on the status bar that you can click on to get the details of the currently active certificate.

Showing the info during authentication would be better than nothing for sure, but it would be ideal to be able to pull this info up at any time during the session.

-Vince
Reply With Quote
  #7  
Old 01-14-2007, 02:18 AM
mekanik mekanik is offline
Registered User
 
Join Date: Jul 2005
Posts: 46
Quote:
Originally Posted by miked
Are you wanting to see the certificate info during authentication, or at any time whether currently authenticating or not?

The implication of wanting to see it at any time is that we would need to save the certificate. If only wanting to view it during authentication, perhaps we could display without saving.
I believe anytime would be the most optimal due to security concerns, and the reason being will be detailed more in the following response. Ideally the public cert should be stored within the SecureCRT install path (something similar to how the "Known Hosts" directory is used for SSH sessions), IMHO -- and verified/validated against the cert exchanged between SecureCRT and the target host for which you are communicating with each time upon connection during the SSL/TLS handshake. This is mainly due to the fact that someone could easily impersonate the target device for which you are connecting to and SecureCRT would never know the difference, thus causing the potential to leak sensitive/confidential (account info, credentials, you name it as the list is endless...) information to some malicious user/host.

If SecureCRT does NOT perform certificate verification/validation upon connection to a host, then I would consider this a **vulnerability** based on the fact that you would never know that someone could be sniffing your session and gathering sensitive/confidential information. Ideally this is impacts the integrity of the SecureCRT client and any information or data that you would be sending over the encrypted session.

SecureCRT already performs SSH public-key verification/validation, by storing the keys in the "Known Hosts" directory, ideally this method should be mirrored over to use the same or similar technique for SSL/TLS connections.

Quote:
Originally Posted by VinceV
I would like to see this information presented similarly to how it is in a web browser:
I concur, however -- I would like to have the ability to view the cert when using the trace option that will display the all the Certificate fields (ex: Certificate [version, serial number, cert sig algo, issuer], Validity [not before, not after], Subject, Subject Public Key Info [public key algo, public key], Extensions [crl, object id, cert key usage, cert authority key-id, cert subject key-id, cert basic constraints, object-id], Certificate Signature Algo, Certificate Signature Value), plus the negotiated values during the SSL handshake, most of this is inline with the output seen when using openssl from the command line.

Quote:
Originally Posted by VinceV
1. Upon connection to a host, verify the certificate. I think SecureCRT already does this, but it doesn't look like it checks if hostnames match.
Another thing here, would be to validate that the certificate belongs to the host for which you are connecting to. Along with CRL verification, and whether the cert has expired or not.

Quote:
Originally Posted by VinceV
2. Have a lock icon on the status bar that you can click on to get the details of the currently active certificate.
Nice idea VinceV, I like this too. This would also have to be across all tabs/sessions using SSL/TLS as the transport.

Quote:
Originally Posted by VinceV
Showing the info during authentication would be better than nothing for sure, but it would be ideal to be able to pull this info up at any time during the session.
To me, this is a must -- especially to ensure the integrity of the encrypted session is not compromised by a malicious user/host.

Hope this helps,

--
mekanik

Last edited by mekanik; 01-14-2007 at 02:20 AM.
Reply With Quote
  #8  
Old 01-15-2007, 03:09 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,039
Thanks Vince & Mekanik, we appreciate your taking time to elaborate about what you'd like to see added. I've updated the feature requests so that if we add either the ability to view a certificate in trace options, or at any time, we will post a message here. To receive e-mail notification should this feature be added to a future version, please send us a message through the Feature Request form and reference forum thread 2079.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 06:48 PM.