Whenever reverse DNS is trusted, this enables the "historical" configuration where the IP address of the connected socket is considered for reverse resolution (and the remote server's DN is compared against the resulting hostname).
IMHO, this is significantly more dangerous than "traditional' reliance on reverse DNS for non-Xrootd cases. Any attacker that is performing a MITM is able to force the client to accept any valid host certificate.
So, if the attacker controlling DNS could force `foo.example.com` to resolve to attacker-controlled IP address `1.2.3.4` with reverse resolution of `badguy.io`, the client would accept the connection as long as `badguy.io` has a certificate from a valid authority.
Fix #841
You can view, comment on, or merge this pull request online at:
https://github.com/xrootd/xrootd/pull/844
-- Commit Summary --
* Fallback to reverse DNS in all cases.
* Simplify hostname generation logic.
-- File Changes --
M src/XrdSecgsi/XrdSecProtocolgsi.cc (31)
M src/XrdSecgsi/XrdSecProtocolgsi.hh (5)
-- Patch Links --
https://github.com/xrootd/xrootd/pull/844.patch
https://github.com/xrootd/xrootd/pull/844.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/pull/844
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
