With this, if the CN doesn't follow the expected matching rules, then the client will iterate through the listed subjectAltNames to determine whether the certificate matches the current host.

This includes support for CNs and SANs with wildcards.

One thing I noticed when testing this branch is XRootD is internally still doing a reverse DNS lookup on the IP address it connects to when filling out the XrdSecEntity structure. This is widely considered insecure despite the fact it was commonly done at the grid level until a few years ago. I'd strongly suggest we remove the reverse DNS lookup on the client side once there's appropriate SAN support.

You can view, comment on, or merge this pull request online at:

https://github.com/xrootd/xrootd/pull/710

Commit Summary

Allow XRootD client to accept subjectAltNames.

File Changes

M src/XrdCrypto/XrdCryptoX509.cc (74)
M src/XrdCrypto/XrdCryptoX509.hh (11)
M src/XrdCrypto/XrdCryptosslX509.cc (49)
M src/XrdCrypto/XrdCryptosslX509.hh (3)
M src/XrdSecgsi/XrdSecProtocolgsi.cc (20)

Patch Links:

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"@context":"http://schema.org","@type":"EmailMessage","potentialAction":{"@type":"ViewAction","target":"https://github.com/xrootd/xrootd/pull/710","url":"https://github.com/xrootd/xrootd/pull/710","name":"View Pull Request"},"description":"View this Pull Request on GitHub","publisher":{"@type":"Organization","name":"GitHub","url":"https://github.com"}} {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Allow XRootD client to accept subjectAltNames. (#710)"}],"action":{"name":"View Pull Request","url":"https://github.com/xrootd/xrootd/pull/710"}}} { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "37567f93-e2a7-4e2a-ad37-a9160fc62647", "title": "Allow XRootD client to accept subjectAltNames. (#710)", "sections": [ { "text": "", "activityTitle": "**Brian Bockelman**", "activityImage": "https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png", "activitySubtitle": "@bbockelm", "facts": [ ] }, { "title": "Commit Summary", "facts": [ { "name": "8f7d3ae", "value": "Allow XRootD client to accept subjectAltNames." } ] }, { "title": "File Changes", "facts": [ { "name": "Modified", "value": "[src/XrdCrypto/XrdCryptoX509.cc](https://github.com/xrootd/xrootd/pull/710/files#diff-0) (74 changes)" }, { "name": "Modified", "value": "[src/XrdCrypto/XrdCryptoX509.hh](https://github.com/xrootd/xrootd/pull/710/files#diff-1) (11 changes)" }, { "name": "Modified", "value": "[src/XrdCrypto/XrdCryptosslX509.cc](https://github.com/xrootd/xrootd/pull/710/files#diff-2) (49 changes)" }, { "name": "Modified", "value": "[src/XrdCrypto/XrdCryptosslX509.hh](https://github.com/xrootd/xrootd/pull/710/files#diff-3) (3 changes)" }, { "name": "Modified", "value": "[src/XrdSecgsi/XrdSecProtocolgsi.cc](https://github.com/xrootd/xrootd/pull/710/files#diff-4) (20 changes)" } ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 710,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "name": "Close pull request", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"PullRequestClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"pullRequestId\": 710\n}" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/pull/710" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/pull/710.patch" } ], "@type": "OpenUri", "name": "View patch" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/pull/710.diff" } ], "@type": "OpenUri", "name": "View diff" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 337088395\n}" } ], "themeColor": "26292E" }

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1