[Libvir] [PATCH] Remote 3/8: Client-side
Richard W.M. Jones
rjones at redhat.com
Tue May 8 12:45:17 UTC 2007
Daniel P. Berrange wrote:
> So the question is, is there any meaningful security to be gained by having
> the server check the commonName field of the client's certificate against
> the client's incoming IP addr whether v4 or v6 ? Perhaps the only thing the
> server should be using the client cert's commonName field for is lookups in
> its whitelist of allowed clients ? Have you any idea what, say Exim or
> Apache, do for validation when getting a client cert ? Do they bother to
> check the commonName against the client's source addr, or do they merely
> use it for access control lookups ?
I'm sure the extra security afforded must be very marginal indeed.
Perhaps protection against IP address spoofing attacks? However those
aren't very common since operating systems started to choose decent
sequence numbers, and in any case while it might be possible to spoof a
three-way TCP handshake, I wouldn't want to try spoofing a TLS handshake...
So I don't know, but I'll take a look at the source for exim to see what
they do.
Rich.
More information about the libvir-list
mailing list