• 13

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I am working on implementing TLS for a Client-Server application. But, the problem is both client and server are in same server: both communicate with just a port number.

So what should the common name (CN) be for agent and server? If I use different name other than the IP of the system, I am get a warning message for "untrusted certificate warning". If I use same CN name, the application is failing.

    • I am getting this error in logs. "sslexception received fatal alert certificate_unknown" . But I have added CA's in truststore and same CA is signing the certificates. Please help me

In TLS, the client certificate and the server certificate live in completely distinct worlds:

  • The server certificate is validated by the client.
  • The client certificate (when the server actually asks for a client certificate) is validated by the server.

There is no relation between these two certificates. There is no property that links them together. The two certificates are owned, sent, received and processed by distinct entities.

For a TLS connection to succeed, the server certificate must please the client; in particular, the client normally expects the intended server name to appear somewhere within the certificate, either in the Subject Alt Name extension, or, if there is no such extension, in the Common Name. This is specified in RFC 2818, section 3.1. This applies mostly if the connection is done through an https:// URL (the server name, as it appears in the URL, must also be in the server certificate). Notably, this match is by name, not by IP address; if client and server are on the same machine, then the URL should use the name "localhost" (not the IP address, and "localhost" should be part of the server certificate. Of course, this is not the only condition; the client should also be able to validate the certificate relatively to a trusted authority.

Thanks to my abilities in haruspicy, I can make the hypothesis that your application locates certificates that it uses through the Common Name, so if you have two certificates with the same Common Name, the client or the server (or both) may choose the "wrong one".

  • 0
Reply Report

Trending Tags