[Libvir] [PATCH] Remote 3/8: Client-side

Richard W.M. Jones rjones at redhat.com
Tue May 8 12:45:17 UTC 2007

Daniel P. Berrange wrote:
> So the question is, is there any meaningful security to be gained by having
> the server check the commonName field of the client's certificate against
> the client's incoming IP addr whether v4 or v6 ?  Perhaps the only thing the
> server should be using the client cert's commonName field for is lookups in
> its whitelist of allowed clients ?   Have you any idea what, say Exim or
> Apache, do for validation when getting a client cert ? Do they bother to
> check the commonName against the client's source addr, or do they merely
> use it for access control lookups ?

I'm sure the extra security afforded must be very marginal indeed. 
Perhaps protection against IP address spoofing attacks?  However those 
aren't very common since operating systems started to choose decent 
sequence numbers, and in any case while it might be possible to spoof a 
three-way TCP handshake, I wouldn't want to try spoofing a TLS handshake...

So I don't know, but I'll take a look at the source for exim to see what 
they do.


More information about the libvir-list mailing list