From: Calum Mackay <calum.mackay@oracle.com>
To: Olga Kornievskaia <aglo@umich.edu>
Cc: Calum Mackay <calum.mackay@oracle.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
Chuck Lever <chuck.lever@oracle.com>
Subject: Re: ktls-utils: question about certificate verification
Date: Tue, 25 Jun 2024 20:48:11 +0100 [thread overview]
Message-ID: <fdd4e4ce-65eb-438e-88c0-2688b7fa196b@oracle.com> (raw)
In-Reply-To: <CAN-5tyE5XpM750=9rG0cfp4WHRxOtXAwvViVmc4kQEVnA1dmTw@mail.gmail.com>
On 25/06/2024 6:31 pm, Olga Kornievskaia wrote:
> On Fri, Jun 21, 2024 at 1:39 PM Calum Mackay <calum.mackay@oracle.com> wrote:
>>
>> On 21/06/2024 4:33 pm, Olga Kornievskaia wrote:
>>> Hi Calum,
>>>
>>> My surprise was to find that having the DNS name in CN was not
>>> sufficient when a SAN (with IP) is present. Apparently it's the old
>>> way of automatically putting the DNS name in CN and these days it's
>>> preferred to have it in the SAN.
>>>
>>> If the infrastructure doesn't require pnfs (ie mounting by IP) then it
>>> doesn't matter where the DNS name is put in the certificate whether it
>>> is in CN or the SAN. However, I found out that for pnfs server like
>>> ONTAP, the certificate must contain SAN with ipAddress and dnsName
>>
>> Noted, thanks very much Olga, that's useful.
>>
>>> extensions regardless of having DNS in CN. I have not tried doing
>>> wildcards (in SAN for the DNS name) but I assumed gnuTLS would accept
>>> them. I should try it.
>>
>> Wildcard didn't seem to work for me in CN, but I may not have tried it
>> in SAN; I'll do that too.
>
> I have tried to use a wildcard in the SAN and that didn't work for me.
> How about you? Specifically, I tried in the SAN
> "DS:netapp*.linux.fake" and tried to mount netapp119.linux.fake which
> failed with "certificate owner unexpected" (meaning certificate didnt
> find anything match to netapp119.linux.fake.
hi Olga, yes, exactly the same here. Wildcards don't work for me in
either CN or SAN.
What I've been doing in my testing, when the host full DNS name is > 64
chars, is to use the simple hostname as the CN (for ease of
identification in e.g. "trust list") and the full DNS name in a SAN DNS:
extension, and that is working well.
thanks,
calum.
next prev parent reply other threads:[~2024-06-25 19:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-20 21:44 ktls-utils: question about certificate verification Calum Mackay
2024-06-21 15:33 ` Olga Kornievskaia
2024-06-21 17:39 ` Calum Mackay
2024-06-25 17:31 ` Olga Kornievskaia
2024-06-25 19:48 ` Calum Mackay [this message]
2024-06-26 1:04 ` Rick Macklem
2024-06-26 13:29 ` Calum Mackay
2024-06-26 17:33 ` Olga Kornievskaia
-- strict thread matches above, loose matches on Subject: below --
2024-05-31 17:23 Olga Kornievskaia
2024-05-31 17:27 ` Chuck Lever III
2024-05-31 17:40 ` Olga Kornievskaia
2024-05-31 18:01 ` Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fdd4e4ce-65eb-438e-88c0-2688b7fa196b@oracle.com \
--to=calum.mackay@oracle.com \
--cc=aglo@umich.edu \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox