0

I'm interested to purchase a wild card SSL certificate for my public domain (say example.com), so that we can run intranet web servers using a universally recognized CA (e.g., GoDaddy). I do plan to publish the DNS names publicly (e.g. internal.example.com), but their IP addresses are actually LAN addresses (e.g., 192...*). We want to use public DNS, because these web servers may actually be development laptops which travel around, and thus we will use Dynamic DNS to update. It's our intention that these web servers will only be available on the LAN each one is currently running on.

Will that work universally with all clients, e.g., TLS v1.2 ?

Thanks.

4

1 回答 1

1

只要客户端可以将其流量路由到这些 IP 地址,它就可以工作(当然,否则您将无法获得连接)。

证书验证依赖于两点:

  • 及时验证证书的真实性、可信性和有效性。

  • 验证证书的身份是否与您要查找的内容相匹配(主机名验证)。

这不取决于DNS解析机制如何。这些机制也与 SSL/TLS 规范正交(尽管它们确实建议验证远程方的身份)。

我已经看到在各种客户端和平台(IE、Chrome、FF、Windows/Linux/Mac 上的 Java 客户端)上使用了这种设置,并且运行良好。

当然,是否所有的实现都做到这一点很难保证。例如,可能有一些实现认为执行反向 DNS 查找是个好主意。

于 2013-10-23T12:07:30.400 回答