Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Further secure TLS communications #97

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Further secure TLS communications #97

wants to merge 4 commits into from

Conversation

saroshali-dbx
Copy link
Contributor

Closes #96

@saroshali-dbx
add common-name verification
f3c28b2 
Signed-off-by: saroshali-dbx <saroshali@dropbox.com>
@saroshali-dbx
fix tests
fefab48 
Signed-off-by: saroshali-dbx <saroshali@dropbox.com>
@saroshali-dbx
missing import
d123494 
Signed-off-by: saroshali-dbx <saroshali@dropbox.com>
@saroshali-dbx
Fix tests
69f5c39 
Signed-off-by: saroshali-dbx <saroshali@dropbox.com>
@saroshali-dbx saroshali-dbx mentioned this pull request Jul 8, 2022
Open
@saroshali-dbx
Copy link
Contributor Author

gentle ping @roidelapluie @SuperQ :)

For context, here's the issue created for the downstream dependency - weaveworks/common#242

@SuperQ
Copy link
Member

SuperQ commented Aug 1, 2022

I thought most certificate validation has moved to verifying SANs, not CNs.

@saroshali-dbx
Copy link
Contributor Author

I thought most certificate validation has moved to verifying SANs, not CNs.

Yeah, thats the intention with SANs to be able to get around the limitation of only being able to specify a single server-name in CN. I ported this functionality from etcd -- and my organization still utilizes common-name -- but I can update this PR to check SANs first and then fallback to CNs. How does that sound?

@roidelapluie
Copy link
Member

Actually that's a good point @SuperQ , even go uses SAN's and has removed support for CN. I think we should follow go and use SANs

SuperQ
SuperQ requested changes Oct 24, 2022
View reviewed changes
Copy link
Member

@SuperQ SuperQ left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Common Name is deprecated for validation. This needs to use SANs.

From RFC 2818, May 2000:

Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Chrome-based browsers dropped CN-only in 2017.

@chodges15 chodges15 mentioned this pull request Jan 10, 2023
Merged
@bboreham
Copy link
Member

@saroshali-dbx are you likely to return to this, or shall we close it?

@logopk
Copy link

logopk commented Mar 17, 2023
edited

Just a question: isn't SAN or any other DNS unusual for client certs? I usually create them with

C = DE, ST = xxx, L = xx, O = xxx, OU = xxx, CN=me@myself.de

Thus given the 3.2
SHOULD check the identity as described above

leads me to
Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperQ SuperQ SuperQ requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Further secure TLS communications
5 participants
@saroshali-dbx @SuperQ @roidelapluie @bboreham @logopk