[Libvir] [PATCH] Remote 3/8: Client-side

Richard W.M. Jones rjones at redhat.com
Mon May 14 13:04:37 UTC 2007

Mark McLoughlin wrote:
>> It may also check that the client's IP address is on a whitelist 
>> contained in the server configuration file, although by default this 
>> check is switched off.
> 	And this has nothing to do with TLS or X.509 certificates. It's no
> different from e.g. libwrap.

Sure, separate issue.

>   1) Validate the cert was issued by a trusted CA, deny if no
>   2) Ignore the IP address of client
>   3) First check whether the cert fingerprint is on the list of allowed 
>      client fingerprints, allow if yes
>   4) Otherwise check whether the contents of the SubjectName name field 
>      is on the list of allowed client SubjectNames, allow if yes, deny 
>      if no
> 	Postfix does (3), but not (4). Apache does (4), in a fairly fancy way,
> but not (3).

My reading of:


The Postfix list manipulation routines give special treatment to 
whitespace and some other characters, making the use of certificate 
names impractical. Instead we use the certificate fingerprints as they 
are difficult to fake but easy to use for lookup.

... is that Postfix would do (4), but does (3) because of a shortcoming 
in its configuration file format.  (I read "certificate name" to mean 
DN).  We don't have that problem.  Mark, what do you think?


Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom.  Registered in
England and Wales under Company Registration No. 03798903
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20070514/62594557/attachment-0001.bin>

More information about the libvir-list mailing list