With this, if the CN doesn't follow the expected matching rules, then the client will iterate through the listed `subjectAltNames` to determine whether the certificate matches the current host.
This includes support for CNs and SANs with wildcards.
One thing I noticed when testing this branch is XRootD is internally still doing a reverse DNS lookup on the IP address it connects to when filling out the `XrdSecEntity` structure. This is widely considered insecure despite the fact it was commonly done at the grid level until a few years ago. I'd strongly suggest we remove the reverse DNS lookup on the client side once there's appropriate SAN support.
You can view, comment on, or merge this pull request online at:
https://github.com/xrootd/xrootd/pull/710
-- Commit Summary --
* Allow XRootD client to accept subjectAltNames.
-- File Changes --
M src/XrdCrypto/XrdCryptoX509.cc (74)
M src/XrdCrypto/XrdCryptoX509.hh (11)
M src/XrdCrypto/XrdCryptosslX509.cc (49)
M src/XrdCrypto/XrdCryptosslX509.hh (3)
M src/XrdSecgsi/XrdSecProtocolgsi.cc (20)
-- Patch Links --
https://github.com/xrootd/xrootd/pull/710.patch
https://github.com/xrootd/xrootd/pull/710.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/pull/710
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
