Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: https and literal addresses  (Read 463 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10421
  • Retd s/w dev; A&A; 3x7km lines; Firebrick
https and literal addresses
« on: January 07, 2022, 09:17:27 PM »

I have a switch which offers admin access over https; TLS 1.1 only, not TLS 1.2, so very rubbish. It doesnít have a self-defined domain name although I can set up a domain name pointing to it, as an aide-memoire. But if something has no domain name associated with it, can one even use https ?
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 34778
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: https and literal addresses
« Reply #1 on: January 07, 2022, 09:36:09 PM »

. . . if something has no domain name associated with it, can one even use https ?

I don't see why not.  ???
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10421
  • Retd s/w dev; A&A; 3x7km lines; Firebrick
Re: https and literal addresses
« Reply #2 on: January 07, 2022, 09:40:57 PM »

I thought that the address was verified against the domain name in https - but then I know absolutely nothing about it. Maybe that feature is optional, if my understanding is correct in part. I had just assumed for no good reason that address verification was an obligatory component of the process. Does the cert specify addresses as well as a domain name? or should I say optional domain name?
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 34778
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: https and literal addresses
« Reply #3 on: January 07, 2022, 09:54:37 PM »

Perhaps those more knowledgable might give their opinion? (b*cat gives a quick, hard, stare in certain compass headings . . . )
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10421
  • Retd s/w dev; A&A; 3x7km lines; Firebrick
Re: https and literal addresses
« Reply #4 on: January 07, 2022, 09:58:49 PM »

NB I canít test it as my web browser hates the fact that it is only TLS1.1 not TLS1.2 and goes into deathful whinge mode telling me Iím going to catch something nasty.
Logged

Reformed

  • Reg Member
  • ***
  • Posts: 110
Re: https and literal addresses
« Reply #5 on: January 07, 2022, 10:27:22 PM »

Yes - specify IP address as Common Name when generating your certificate/key pair and good to go with most clients.
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 3304
    • Thinkbroadband Quality Monitors
Re: https and literal addresses
« Reply #6 on: January 08, 2022, 01:24:04 AM »

Of course that wont solve the out-of-date TLS version.  But I keep all my devices unencrypted anyway as if anyone got on my network I'd have bigger problems than them trying to login to my switches/router. ;)

If you're really going corporate security, you'd have a management VLAN or physical independent network for management only.
Logged
INTAKE (ECI) Home Hub 5A (OpenWRT) on Zen, Hauwei B353-232 on Libera 4G, Hauwei CPE Pro 2 H122-373 on Three 5G Router: pfSense (i5-7200U) WiFi: Zyxel NWA210AX + Ubiquiti nanoHD (OpenWRT)
My Broadband History & Ping Quality Monitors

tubaman

  • Addicted Kitizen
  • *****
  • Posts: 8739
Re: https and literal addresses
« Reply #7 on: January 08, 2022, 11:49:34 AM »

You can certainly use HTTPS with just an IP address - works fine on my VMG8924-B10A that is using TLS 1.2.
Doesn't your browser allow you to get past the 'bad stuff might happen' prompts as most do?
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10421
  • Retd s/w dev; A&A; 3x7km lines; Firebrick
Re: https and literal addresses
« Reply #8 on: January 08, 2022, 04:43:54 PM »

Iíve got past the Ďbad stuffí prompt before but that was when https was not available and I donít know if the behaviour is different when itís moaning because of the lack of TLS1.2; You would think not, should be the same UI. Maybe I was just getting confused by the intimidating and confusing UI prompts when I was very tired.
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 3304
    • Thinkbroadband Quality Monitors
Re: https and literal addresses
« Reply #9 on: January 10, 2022, 01:28:56 AM »

Iíve got past the Ďbad stuffí prompt before but that was when https was not available and I donít know if the behaviour is different when itís moaning because of the lack of TLS1.2; You would think not, should be the same UI. Maybe I was just getting confused by the intimidating and confusing UI prompts when I was very tired.

Not sure if its been removed yet but TLS 1.1 was supposed to be removed from all browsers but got delayed, Apples comment to developers on this:
https://developer.apple.com/news/?id=bv8ur34d

Logged
INTAKE (ECI) Home Hub 5A (OpenWRT) on Zen, Hauwei B353-232 on Libera 4G, Hauwei CPE Pro 2 H122-373 on Three 5G Router: pfSense (i5-7200U) WiFi: Zyxel NWA210AX + Ubiquiti nanoHD (OpenWRT)
My Broadband History & Ping Quality Monitors

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 6720
Re: https and literal addresses
« Reply #10 on: January 12, 2022, 11:59:24 AM »

You can do IP based certificates, I have one's generated for pfsense/opnsense and openwrt devices. 

I generate using the wizard in pfsense as I am lazy, that also stores them for me as well master copies, and have the authority trusted on my PC and laptop.

As for the TLS 1.1 only thing, this is why I stopped using proprietary firmware devices.  All the planned obsolescence of them.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10421
  • Retd s/w dev; A&A; 3x7km lines; Firebrick
Re: https and literal addresses
« Reply #11 on: January 12, 2022, 06:34:54 PM »

So in TLS, if your DNS is evil, gets poisoned and gives the wrong IP address for a server that has a cert, what happens ?
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 6720
Re: https and literal addresses
« Reply #12 on: January 13, 2022, 04:02:30 AM »

You would get a certificate warning as the new endpoint wouldnt have a valid certificate.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

Weaver

  • Senior Kitizen
  • ******
  • Posts: 10421
  • Retd s/w dev; A&A; 3x7km lines; Firebrick
Re: https and literal addresses
« Reply #13 on: January 13, 2022, 05:43:03 AM »

Why? Iím assuming that the server that is the impersonator is evil, part of the conspiracy?
Logged

Reformed

  • Reg Member
  • ***
  • Posts: 110
Re: https and literal addresses
« Reply #14 on: January 14, 2022, 02:22:40 PM »

The certificate needs signing by a certification authority. There are rules around getting certificates signed for domains.

Certificate authorities that don't obey these tend to go out of business rapidly.
Logged
Pages: [1] 2
 

anything