SSL Certificate Details

[VinceV]

Is there any way to view the details of the server's SSL certificate when using Telnet/SSL? I've looked through all the menus and couldn't find anything.

-Vince

[miked]

It's not currently possible to view the server's SSL certificate, but I've added a request to our database for this ability. We will post a follow up message here if this feature is added. If you would like to receive e-mail notification, please send us a message through the feature request form and refer to forum thread #2079.

[mekanik]

Quote:

Originally Posted by miked

It's not currently possible to view the server's SSL certificate, but I've added a request to our database for this ability. We will post a follow up message here if this feature is added. If you would like to receive e-mail notification, please send us a message through the feature request form and refer to forum thread #2079.

I requested this a while back (June 2006) through Maureen, and said that I would like to see output similar to using something like how "openssl s_client -connect forums.vandyke.com:443" displays the certificate exchange.

--
mekanik

[miked]

Thanks mekanik. I have cross referenced the two requests in our database because they seem like very complimentary requests.

[miked]

Vince and mekanik,

Are you wanting to see the certificate info during authentication, or at any time whether currently authenticating or not?

The implication of wanting to see it at any time is that we would need to save the certificate. If only wanting to view it during authentication, perhaps we could display without saving.

Thank you!

[VinceV]

Quote:

Originally Posted by miked

Are you wanting to see the certificate info during authentication, or at any time whether currently authenticating or not?

I would like to see this information presented similarly to how it is in a web browser:

1. Upon connection to a host, verify the certificate. I think SecureCRT already does this, but it doesn't look like it checks if hostnames match.

2. Have a lock icon on the status bar that you can click on to get the details of the currently active certificate.

Showing the info during authentication would be better than nothing for sure, but it would be ideal to be able to pull this info up at any time during the session.

-Vince

[mekanik]

Quote:

Originally Posted by miked

Are you wanting to see the certificate info during authentication, or at any time whether currently authenticating or not?

The implication of wanting to see it at any time is that we would need to save the certificate. If only wanting to view it during authentication, perhaps we could display without saving.

I believe anytime would be the most optimal due to security concerns, and the reason being will be detailed more in the following response. Ideally the public cert should be stored within the SecureCRT install path (something similar to how the "Known Hosts" directory is used for SSH sessions), IMHO -- and verified/validated against the cert exchanged between SecureCRT and the target host for which you are communicating with each time upon connection during the SSL/TLS handshake. This is mainly due to the fact that someone could easily impersonate the target device for which you are connecting to and SecureCRT would never know the difference, thus causing the potential to leak sensitive/confidential (account info, credentials, you name it as the list is endless...) information to some malicious user/host.

If SecureCRT does NOT perform certificate verification/validation upon connection to a host, then I would consider this a **vulnerability** based on the fact that you would never know that someone could be sniffing your session and gathering sensitive/confidential information. Ideally this is impacts the integrity of the SecureCRT client and any information or data that you would be sending over the encrypted session.

SecureCRT already performs SSH public-key verification/validation, by storing the keys in the "Known Hosts" directory, ideally this method should be mirrored over to use the same or similar technique for SSL/TLS connections.

Quote:

Originally Posted by VinceV

I would like to see this information presented similarly to how it is in a web browser:

I concur, however -- I would like to have the ability to view the cert when using the trace option that will display the all the Certificate fields (ex: Certificate [version, serial number, cert sig algo, issuer], Validity [not before, not after], Subject, Subject Public Key Info [public key algo, public key], Extensions [crl, object id, cert key usage, cert authority key-id, cert subject key-id, cert basic constraints, object-id], Certificate Signature Algo, Certificate Signature Value), plus the negotiated values during the SSL handshake, most of this is inline with the output seen when using openssl from the command line.

Quote:

Originally Posted by VinceV

1. Upon connection to a host, verify the certificate. I think SecureCRT already does this, but it doesn't look like it checks if hostnames match.

Another thing here, would be to validate that the certificate belongs to the host for which you are connecting to. Along with CRL verification, and whether the cert has expired or not.

Quote:

Originally Posted by VinceV

2. Have a lock icon on the status bar that you can click on to get the details of the currently active certificate.

Nice idea VinceV, I like this too. This would also have to be across all tabs/sessions using SSL/TLS as the transport.

Quote:

Originally Posted by VinceV

Showing the info during authentication would be better than nothing for sure, but it would be ideal to be able to pull this info up at any time during the session.

To me, this is a must -- especially to ensure the integrity of the encrypted session is not compromised by a malicious user/host.

Hope this helps,

--
mekanik

[miked]

Thanks Vince & Mekanik, we appreciate your taking time to elaborate about what you'd like to see added. I've updated the feature requests so that if we add either the ability to view a certificate in trace options, or at any time, we will post a message here. To receive e-mail notification should this feature be added to a future version, please send us a message through the Feature Request form and reference forum thread 2079.