Connections are still open to MITM attacks even if the -nohostverify is NOT being used AND OpenEdge correctly validates the entire Certificate chain from server to client (which is done). These MITM attack vectors probably outweigh the risk associated with turning on -nohostverify and are outside of OpenEdge's ability to mitigate them.
While using -nohostverify does remove the check of the server's official DNS name against the server certificate's CN field of the Subject Name, it fully leaves in place the fact that the entire certificate chain and server private key are verified. Where verification includes each certificate's digital signature against its issue's public key and mandatory version 3 extension fields, starting with the server and ending with the ROOT CA that must be in the client. SelfSigned server certificates must follow the same rules, with the ROOT CA being added to the list of trusted CAs in the client.
The -nohostverify option was put there to allow a choice on the part of the customer to employ server certificates whose subject name field does not meet with recommended practices of using the server's official DNS name or to compensate for OE's limitations ( ie Wildcard certificates) in performing the current standard for server host name validation. |
