IceSSL.CheckCertName has no effect

grembo

Hello,

it seems like setting

IceSSL.CheckCertName=1

has no effect at all. The certificate presented by the client contains one IP address, but requests can be made from any ip address.

The manual states:

This property has no affect on the validation of client certificates.
If no match is found, IceSSL aborts the connection attempt and raises an exception.

Which is a little bit confusing. So it doesn't affect the validation of the cert, but should abort the connection attempt?!?

(This is using glacier2 / openssl / unix)

Thanks
Michael

benoit

Hi,

This should be fixed in Ice 3.3.1. Which Ice version do you use?

Cheers,
Benoit.

grembo

In fact I'm using 3.3.1.

Here's my glacier2 IceSSL config:

Ice.Plugin.IceSSL=IceSSL:createIceSSL
IceSSL.DefaultDir=certs
IceSSL.CertAuthFile=ca_cert.pem
IceSSL.CertFile=ca/db/ca_cert.pem
IceSSL.KeyFile=ca/db/ca_key.pem
IceSSL.CheckCertName=1

grembo

Hi Benoit,

I just found that comment in the code handling this option:

        //
        // Compare the peer's address against the dnsName and ipAddress values.
        // This is only relevant for an outgoing connection.
        //

which relates to

IceSSL attempts to match the server's host name

So I assume there's a misunderstanding on my side how this is supposed to work. It seems this is only designed for outgoing connections, using certs signed by the CA containing IP addresses. I assumed it also works for incoming connections (first cert is verified, then the contained IPs are verified against client IP address, which in theory should add some extra security if firewall admins made a mistake).

Cheers
Michael