[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Verifying 'CN' in client certificates using TLS



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Steve Powers

> I'm successsfully using nss_ldap and pam_ldap with client<=>server and
> server<=>client X.509 certificate verification using the following config:
>
> client side:
> -----------
...

> server side:
> -----------
>
> etc...
>
> TLSCertificateFile
> /usr/local/openldap/etc/openldap/ldap.contraption.com.crt
> TLSCertificateKeyFile
> /usr/local/openldap/etc/openldap/ldap.contraption.com.key
> TLSCACertificateFile /usr/local/openldap/etc/openldap/CAcert.pem
> TLSVerifyClient 1

> However, the 'CN' value of my client certificate are completely ignored,
> as I can install the same certificates across several clients (machines in
> this case) and they will work. I'm therefore deducting that provided the
> client certs have been signed by my trusted CA (my own in this case) the
> 'CN' value is unimportant?

Pretty much. Remember that in TLS, client certificates are always optional.
When you turn on TLSVerifyClient, the only thing that the library cares
about is that all of the signing CAs are recognized/trusted, and the
signatures
are correct. Again, remember that you're dealing with a client cert here,
not a server cert. The rules and standard usage for each are different.

> Is there a way to enforce 'CN' checking against a directory entry
> which details
> DNS hostname, or even better IP address, in OpenLDAP?

In most installations, client certificates are given to people, not hosts,
so verifying the CN in a client cert against DNS hostnames makes no sense.
I'm curious though, what exactly are you trying to accomplish here? Since
you run the CA that generated the certs, you should already know who has a
valid one and who doesn't. Also, you already know the IP addresses
associated
with the machines that you assigned certs to. I would think that just using
TLSVerifyClient in combination with IP-address based ACLs would give you
sufficient security, but I don't understand what you're trying to test or
protect against.
>
> Any help greatly appreciated.
>
> Steve

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support