Whenever reverse DNS is trusted, this enables the "historical" configuration where the IP address of the connected socket is considered for reverse resolution (and the remote server's DN is compared against the resulting hostname).

IMHO, this is significantly more dangerous than "traditional' reliance on reverse DNS for non-Xrootd cases. Any attacker that is performing a MITM is able to force the client to accept any valid host certificate.

So, if the attacker controlling DNS could force foo.example.com to resolve to attacker-controlled IP address 1.2.3.4 with reverse resolution of badguy.io, the client would accept the connection as long as badguy.io has a certificate from a valid authority.

Fix #841

You can view, comment on, or merge this pull request online at:

https://github.com/xrootd/xrootd/pull/844

Commit Summary

Fallback to reverse DNS in all cases.
Simplify hostname generation logic.

File Changes

M src/XrdSecgsi/XrdSecProtocolgsi.cc (31)
M src/XrdSecgsi/XrdSecProtocolgsi.hh (5)

Patch Links:

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Always fall back to reverse DNS if trusted (#844)"}],"action":{"name":"View Pull Request","url":"https://github.com/xrootd/xrootd/pull/844"}}} [ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/844", "url": "https://github.com/xrootd/xrootd/pull/844", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } }, { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB", "title": "Always fall back to reverse DNS if trusted (#844)", "sections": [ { "text": "", "activityTitle": "**Brian P Bockelman**", "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png", "activitySubtitle": "@bbockelm", "facts": [ ] }, { "title": "Commit Summary", "facts": [ { "name": "00b21d8", "value": "Fallback to reverse DNS in all cases." }, { "name": "5762f13", "value": "Simplify hostname generation logic." } ] }, { "title": "File Changes", "facts": [ { "name": "Modified", "value": "[src/XrdSecgsi/XrdSecProtocolgsi.cc](https://github.com/xrootd/xrootd/pull/844/files#diff-0) (31 changes)" }, { "name": "Modified", "value": "[src/XrdSecgsi/XrdSecProtocolgsi.hh](https://github.com/xrootd/xrootd/pull/844/files#diff-1) (5 changes)" } ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 844,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "name": "Close pull request", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"PullRequestClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"pullRequestId\": 844\n}" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/pull/844" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/pull/844.patch" } ], "@type": "OpenUri", "name": "View patch" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/pull/844.diff" } ], "@type": "OpenUri", "name": "View diff" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 397555039\n}" } ], "themeColor": "26292E" } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1