|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Script to distinguish between Certificate Authorities (ex. Verisign, Thawte) SSLI'm wondering if anyone can help me out with a problem I'm facing. I need to have conditional code on a web page (asp) to show who the site authenticating Certificate Authority is. Of course the site is set up to use SSL. I've examined all IIS Server Variables (Request.ServerVariables). Unfortunately I was informed that the server variables names with a "CERT_" prefix are unreliable to test for CA's. Can anyone help? One application of this test would be to conditionally put a Verisign or Thawte logo on a sites log in page. Thanks. -C- Who told you those fields where "unreliable", and what was the reasoning
behind this? Request.ServerVariables() collection is populated from two distinct sources: data sent from the client, and data from the server itself. So, a field like HTTP_Referer is populated from the HTTP Referer: header sent from the client. Whether or not the client was actually coming from that previous page you can't really verify - the client can send any arbitrary data it likes. However something like Request.ServerVariables("Local_Addr") is not "unreliable" - this is the IP address /on the server/ where the request came in on. So, unless the administrator of the server is running some malicious code to confuse your ASP script (unlikely surely?), you can trust this value. So, if you have a look in the Request.ServerVariables collection, you will see fields like Cert_Server_Issuer and HTTPS_Server_Issuer. These contain details for the issuers of the server's certificate that's being used for the current request. I'm not entirely sure why those fields would be "unreliable" - they can't be spoofed by the client, because the data is not derived from anything the client send to the server. Cheers Ken Show quoteHide quote "copulus" <copulus[at]hotmail.com> wrote in message news:%23ZYld8gYFHA.2884@tk2msftngp13.phx.gbl... : Hi, : : I'm wondering if anyone can help me out with a problem I'm facing. : : I need to have conditional code on a web page (asp) to show who the site : authenticating Certificate Authority is. Of course the site is set up to : use SSL. : : I've examined all IIS Server Variables (Request.ServerVariables). : Unfortunately I was informed that the server variables names with a "CERT_" : prefix are unreliable to test for CA's. : : Can anyone help? : : One application of this test would be to conditionally put a Verisign or : Thawte logo on a sites log in page. : : Thanks. : : -C- : :  
Other interesting topics
Problems with authenticated users accessing asp's
Exchange relay for Exchange total newb can't access susadmin page Windows 2003 Server and IIS 6.0: Domain users can't access my web site :( SMTP Relaying Help Cannot Create new VS Web Project Wilcard Cert and Site Identifier number IIS 401 - Unauthorized to access the document IIS6 and Authentication across Servers and Domains IIS 6.0 anonymous access |
|||||||||||||||||||||||
