Re: Verifying 'CN' in client certificates using TLS

[Steve Powers <sgp@pani.cx>]

On Wed, Feb 06, 2002 at 03:05:14AM -0800, Howard Chu wrote:

> Pretty much. Remember that in TLS, client certificates are always optional.
> When you turn on TLSVerifyClient, the only thing that the library cares
> about is that all of the signing CAs are recognized/trusted, and the
> signatures
> are correct. Again, remember that you're dealing with a client cert here,
> not a server cert. The rules and standard usage for each are different.

Valid point.


> > Is there a way to enforce 'CN' checking against a directory entry
> > which details
> > DNS hostname, or even better IP address, in OpenLDAP?
> 
> In most installations, client certificates are given to people, not hosts,
> so verifying the CN in a client cert against DNS hostnames makes no sense.
> I'm curious though, what exactly are you trying to accomplish here? Since
> you run the CA that generated the certs, you should already know who has a
> valid one and who doesn't. Also, you already know the IP addresses
> associated
> with the machines that you assigned certs to. I would think that just using
> TLSVerifyClient in combination with IP-address based ACLs would give you
> sufficient security, but I don't understand what you're trying to test or
> protect against.

I am trying to move away from the use of IP based ACL's as much as possible,
and therefore trying to ensure that the client certs being presented are
from the correct source - As this is my only ultimate trust on the client/host.
I realise this is still open to DNS and IP spoofing if a cert is compromised
but I intent to add extra layers around this that make admin on the LDAP
side just a little easier. <I hope>


Steve