Hiya Rick - On 5/19/25 9:44 PM, Rick Macklem wrote: > Do you also have some configurable settings for if/how the DNS > field in the client's X.509 cert is checked? > The range is, imho: > - Don't check it at all, so the client can have any IP/DNS name (a mobile > device). The least secure, but still pretty good, since the ert. verified. > - DNS matches a wildcard like *.umich.edu for the reverse DNS name for > the client's IP host address. > - DNS matches exactly what reverse DNS gets for the client's IP host address. I've been told repeatedly that certificate verification must not depend on DNS because DNS can be easily spoofed. To date, the Linux implementation of RPC-with-TLS depends on having the peer's IP address in the certificate's SAN. I recognize that tlshd will need to bend a little for clients that use a dynamically allocated IP address, but I haven't looked into it yet. Perhaps client certificates do not need to contain their peer IP address, but server certificates do, in order to enable mounting by IP instead of by hostname. > Wildcards are discouraged by some RFC, but are still supported by OpenSSL. I would prefer that we follow the guidance of RFCs where possible, rather than a particular implementation that might have historical reasons to permit a lack of security. I'll need to find out what flexibility gnuTLS offers. tlshd on Linux cannot use OpenSSL because its license is incompatible with GPLv2, which is the license the Linux kernel uses. -- Chuck Lever
