[Libvir] [PATCH] Remote 3/8: Client-side

Mark McLoughlin markmc at redhat.com
Fri May 11 17:54:40 UTC 2007 

Hey,

On Tue, 2007-05-08 at 12:28 +0100, Daniel P. Berrange wrote:
> On Tue, May 08, 2007 at 12:20:17PM +0100, Richard W.M. Jones wrote:

> > The server knows only the IP address of the client (well, it could do a 
> > DNS PTR lookup, but it shouldn't trust the results since they are under 
> > the control of the client too!)
> > 
> > But what is the real solution here?  Either allow the client to have 
> > multiple certificates (of course marked as IPv4 or IPv6 certificates, 
> > and perhaps other namespaces too?!), or else do some name-mangling so 
> > that IPv4 and IPv6 addresses can be compared, prepending or removing 
> > ::ffff: as appropriate?
> 
> So the question is, is there any meaningful security to be gained by having
> the server check the commonName field of the client's certificate against
> the client's incoming IP addr whether v4 or v6 ?  Perhaps the only thing the
> server should be using the client cert's commonName field for is lookups in
> its whitelist of allowed clients ?   Have you any idea what, say Exim or
> Apache, do for validation when getting a client cert ? Do they bother to
> check the commonName against the client's source addr, or do they merely
> use it for access control lookups ?

	When we discussed this on irc back in February, I looked this up in
Postfix. So, looking back over the irc log:

  * Postfix will auth a client if it can validate the cert (i.e. the 
    CA which issued the cert is trusted) and the fingerprint of the 
    client's cert is listed in the list of allowed clients:

      http://www.postfix.org/postconf.5.html#relay_clientcerts

  * It would seem reasonable to me that you could list *either* the 
    cert fingerprint of an allowed client or its SubjectName.

    In the latter case, you'd merely check that the SubjectName field 
    in the (already validated) cert matches an entry in the list of 
    allowed clients - i.e. you don't interpret the contents of 
    SubjectName.

    I've no clue why Postfix doesn't allow this - if you trust the CA, 
    then you can trust the SubjectName. This scheme would e.g. allow 
    you to issue a new certificate for a given client without updatin 
    the list of allowed clients on the server.

  * Also, Postfix allows you to trust all clients with certs from 
    trusted CAs:

      http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts

    It seems like an odd configuration option to me. You'd probably 
    only use this with a single trusted CA which you have direct 
    control over.

Cheers,
Mark.

More information about the libvir-list mailing list