Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: https and literal addresses  (Read 5044 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
https and literal addresses
« on: January 07, 2022, 09:17:27 PM »

I have a switch which offers admin access over https; TLS 1.1 only, not TLS 1.2, so very rubbish. It doesn’t have a self-defined domain name although I can set up a domain name pointing to it, as an aide-memoire. But if something has no domain name associated with it, can one even use https ?
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: https and literal addresses
« Reply #1 on: January 07, 2022, 09:36:09 PM »

. . . if something has no domain name associated with it, can one even use https ?

I don't see why not.  ???
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: https and literal addresses
« Reply #2 on: January 07, 2022, 09:40:57 PM »

I thought that the address was verified against the domain name in https - but then I know absolutely nothing about it. Maybe that feature is optional, if my understanding is correct in part. I had just assumed for no good reason that address verification was an obligatory component of the process. Does the cert specify addresses as well as a domain name? or should I say optional domain name?
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: https and literal addresses
« Reply #3 on: January 07, 2022, 09:54:37 PM »

Perhaps those more knowledgable might give their opinion? (b*cat gives a quick, hard, stare in certain compass headings . . . )
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: https and literal addresses
« Reply #4 on: January 07, 2022, 09:58:49 PM »

NB I can’t test it as my web browser hates the fact that it is only TLS1.1 not TLS1.2 and goes into deathful whinge mode telling me I’m going to catch something nasty.
Logged

Reformed

  • Reg Member
  • ***
  • Posts: 318
Re: https and literal addresses
« Reply #5 on: January 07, 2022, 10:27:22 PM »

Yes - specify IP address as Common Name when generating your certificate/key pair and good to go with most clients.

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: https and literal addresses
« Reply #6 on: January 08, 2022, 01:24:04 AM »

Of course that wont solve the out-of-date TLS version.  But I keep all my devices unencrypted anyway as if anyone got on my network I'd have bigger problems than them trying to login to my switches/router. ;)

If you're really going corporate security, you'd have a management VLAN or physical independent network for management only.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: https and literal addresses
« Reply #7 on: January 08, 2022, 11:49:34 AM »

You can certainly use HTTPS with just an IP address - works fine on my VMG8924-B10A that is using TLS 1.2.
Doesn't your browser allow you to get past the 'bad stuff might happen' prompts as most do?
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: https and literal addresses
« Reply #8 on: January 08, 2022, 04:43:54 PM »

I’ve got past the ‘bad stuff’ prompt before but that was when https was not available and I don’t know if the behaviour is different when it’s moaning because of the lack of TLS1.2; You would think not, should be the same UI. Maybe I was just getting confused by the intimidating and confusing UI prompts when I was very tired.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: https and literal addresses
« Reply #9 on: January 10, 2022, 01:28:56 AM »

I’ve got past the ‘bad stuff’ prompt before but that was when https was not available and I don’t know if the behaviour is different when it’s moaning because of the lack of TLS1.2; You would think not, should be the same UI. Maybe I was just getting confused by the intimidating and confusing UI prompts when I was very tired.

Not sure if its been removed yet but TLS 1.1 was supposed to be removed from all browsers but got delayed, Apples comment to developers on this:
https://developer.apple.com/news/?id=bv8ur34d

Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: https and literal addresses
« Reply #10 on: January 12, 2022, 11:59:24 AM »

You can do IP based certificates, I have one's generated for pfsense/opnsense and openwrt devices. 

I generate using the wizard in pfsense as I am lazy, that also stores them for me as well master copies, and have the authority trusted on my PC and laptop.

As for the TLS 1.1 only thing, this is why I stopped using proprietary firmware devices.  All the planned obsolescence of them.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: https and literal addresses
« Reply #11 on: January 12, 2022, 06:34:54 PM »

So in TLS, if your DNS is evil, gets poisoned and gives the wrong IP address for a server that has a cert, what happens ?
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: https and literal addresses
« Reply #12 on: January 13, 2022, 04:02:30 AM »

You would get a certificate warning as the new endpoint wouldnt have a valid certificate.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: https and literal addresses
« Reply #13 on: January 13, 2022, 05:43:03 AM »

Why? I’m assuming that the server that is the impersonator is evil, part of the conspiracy?
Logged

Reformed

  • Reg Member
  • ***
  • Posts: 318
Re: https and literal addresses
« Reply #14 on: January 14, 2022, 02:22:40 PM »

The certificate needs signing by a certification authority. There are rules around getting certificates signed for domains.

Certificate authorities that don't obey these tend to go out of business rapidly.
Pages: [1] 2
 

anything