Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SSL X.509 Server Match Parameters and DN Matching

102466Jul 15 2008

I've created a user and then modified it as follows:
alter user user1 identified externally as
'CN=acme, OU=acme, O=acme, L=NY, ST=NY, C=US';

the user also has a client wallet with a certificate signed by a trusted CA that is part of the root chain in the server wallet. The server has a server certificate signed by the same CA. I force DN matching by setting SSL_SERVER_DN_MATCH = TRUE on the client side sqlnet.ora.

What prevents someone from constructing a client side certificate with a DN that matches the DN of user1 issued by a trusted CA (the same CA that is in the server wallet) and logging into the database?

Is there a 2nd possibility in the per-user “Identified by” so that the “identified by” is a DN and <some other factor within the certificate>, usually certificate thumbprint OR serial number?

--
mohammed

Locked Post

New comments cannot be posted to this locked post.

Locked on Aug 12 2008

Added on Jul 15 2008

#database-security, #database-security-general

0 comments

2,134 views