Re: [Libvir] [PATCH] Remote 3/8: Client-side
Hey,
On Tue, 2007-05-08 at 12:28 +0100, Daniel P. Berrange wrote:
On Tue, May 08, 2007 at 12:20:17PM +0100, Richard W.M. Jones wrote:
> The server knows only the IP address of the client (well, it
could do a
> DNS PTR lookup, but it shouldn't trust the results since they are under
> the control of the client too!)
>
> But what is the real solution here? Either allow the client to have
> multiple certificates (of course marked as IPv4 or IPv6 certificates,
> and perhaps other namespaces too?!), or else do some name-mangling so
> that IPv4 and IPv6 addresses can be compared, prepending or removing
> ::ffff: as appropriate?
So the question is, is there any meaningful security to be gained by having
the server check the commonName field of the client's certificate against
the client's incoming IP addr whether v4 or v6 ? Perhaps the only thing the
server should be using the client cert's commonName field for is lookups in
its whitelist of allowed clients ? Have you any idea what, say Exim or
Apache, do for validation when getting a client cert ? Do they bother to
check the commonName against the client's source addr, or do they merely
use it for access control lookups ?
When we discussed this on irc back in February, I looked this up in
Postfix. So, looking back over the irc log:
* Postfix will auth a client if it can validate the cert (i.e. the
CA which issued the cert is trusted) and the fingerprint of the
client's cert is listed in the list of allowed clients:
http://www.postfix.org/postconf.5.html#relay_clientcerts
* It would seem reasonable to me that you could list *either* the
cert fingerprint of an allowed client or its SubjectName.
In the latter case, you'd merely check that the SubjectName field
in the (already validated) cert matches an entry in the list of
allowed clients - i.e. you don't interpret the contents of
SubjectName.
I've no clue why Postfix doesn't allow this - if you trust the CA,
then you can trust the SubjectName. This scheme would e.g. allow
you to issue a new certificate for a given client without updatin
the list of allowed clients on the server.
* Also, Postfix allows you to trust all clients with certs from
trusted CAs:
http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts
It seems like an odd configuration option to me. You'd probably
only use this with a single trusted CA which you have direct
control over.
Cheers,
Mark.