Re: [Libvir] [PATCH] Remote 3/8: Client-side
Daniel P. Berrange wrote:
So the question is, is there any meaningful security to be gained by
having
the server check the commonName field of the client's certificate against
the client's incoming IP addr whether v4 or v6 ? Perhaps the only thing the
server should be using the client cert's commonName field for is lookups in
its whitelist of allowed clients ? Have you any idea what, say Exim or
Apache, do for validation when getting a client cert ? Do they bother to
check the commonName against the client's source addr, or do they merely
use it for access control lookups ?
I'm sure the extra security afforded must be very marginal indeed.
Perhaps protection against IP address spoofing attacks? However those
aren't very common since operating systems started to choose decent
sequence numbers, and in any case while it might be possible to spoof a
three-way TCP handshake, I wouldn't want to try spoofing a TLS handshake...
So I don't know, but I'll take a look at the source for exim to see what
they do.
Rich.