Archived
This forum has been archived. Please start a new discussion on GitHub.
IceSSL.CheckCertName has no effect
Hello,
it seems like setting
IceSSL.CheckCertName=1
has no effect at all. The certificate presented by the client contains one IP address, but requests can be made from any ip address.
The manual states:
Which is a little bit confusing. So it doesn't affect the validation of the cert, but should abort the connection attempt?!?
(This is using glacier2 / openssl / unix)
Thanks
Michael
it seems like setting
IceSSL.CheckCertName=1
has no effect at all. The certificate presented by the client contains one IP address, but requests can be made from any ip address.
The manual states:
This property has no affect on the validation of client certificates.
If no match is found, IceSSL aborts the connection attempt and raises an exception.
Which is a little bit confusing. So it doesn't affect the validation of the cert, but should abort the connection attempt?!?
(This is using glacier2 / openssl / unix)
Thanks
Michael
0
Comments
-
Hi,
This should be fixed in Ice 3.3.1. Which Ice version do you use?
Cheers,
Benoit.0 -
In fact I'm using 3.3.1.
Here's my glacier2 IceSSL config:Ice.Plugin.IceSSL=IceSSL:createIceSSL IceSSL.DefaultDir=certs IceSSL.CertAuthFile=ca_cert.pem IceSSL.CertFile=ca/db/ca_cert.pem IceSSL.KeyFile=ca/db/ca_key.pem IceSSL.CheckCertName=1
0 -
Hi Benoit,
I just found that comment in the code handling this option:// // Compare the peer's address against the dnsName and ipAddress values. // This is only relevant for an outgoing connection. //
which relates toIceSSL attempts to match the server's host name
So I assume there's a misunderstanding on my side how this is supposed to work. It seems this is only designed for outgoing connections, using certs signed by the CA containing IP addresses. I assumed it also works for incoming connections (first cert is verified, then the contained IPs are verified against client IP address, which in theory should add some extra security if firewall admins made a mistake).
Cheers
Michael0