From: Ken Milmore <ken.milmore@gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>,
kernel-tls-handshake@lists.linux.dev
Subject: Re: [PATCH 5/7] server: Add boolean config option "verify_peername" under "[authenticate.server]".
Date: Sun, 8 Jun 2025 19:45:10 +0100 [thread overview]
Message-ID: <ace628ba-a7cb-45b2-a5f2-cd3810b0c1f2@gmail.com> (raw)
In-Reply-To: <b9815a8c-25a7-42ed-aa7a-f90821cf4853@oracle.com>
On 08/06/2025 19:30, Chuck Lever wrote:
> Perhaps a better option would be to test the socket's source address
> against the certificate's SAN field, if the SAN field contains one or
> more IP addresses. For a client with DHCP-assigned IP addresses, simply
> don't put an IP address in its certificate.
Well that's effectively what happens if you pass a textualized IP address to gnutls_certificate_verify_peers3(),
it is checked against the SAN as per RFC6125. But see the "verify_peeraddr" patch for that.
>
> That check could then be enabled all the time, and perhaps could be
> changed to "warn" instead of "reject".
>
> Still, this feels a little unnecessary. If a client's certificate is
> used by another peer, that means both the certificate and the client's
> private key are compromised. The usual way to handle that is with a
> certificate revocation.
>
Yes, but again, this is not to intended to guard against certificate leakage.
It is to enable secure discrimination between peers, otherwise clients can access each other's shares if they simply change IP address.
Clearly if you implement tags or some other mechanism of securely linking the certificate to the client, then that would also work
and would be more flexible.
This works and is useful for some limited use cases, which happen to include my use case! ;-)
prev parent reply other threads:[~2025-06-08 18:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-08 17:43 [PATCH 5/7] server: Add boolean config option "verify_peername" under "[authenticate.server]" Ken Milmore
2025-06-08 18:30 ` Chuck Lever
2025-06-08 18:45 ` Ken Milmore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ace628ba-a7cb-45b2-a5f2-cd3810b0c1f2@gmail.com \
--to=ken.milmore@gmail.com \
--cc=chuck.lever@oracle.com \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox