Closed mrichar1 closed 4 years ago
tcolgate
commented
4 years ago I'll take a look. It's a reasonable feature, and I'm not opposed. I can't promise I'll get to it in the next week though. I'd, of course, encourage you to give it a try and raise a PR. You get the added glory of your name in the AUTHORS file.
tcolgate
commented
4 years ago I should have checked what you actually want here. I /think/ you want to be able to limit verification based on the SAN presented in the clients cert? (the example you linked to is just enabling a check that checks the cert usage I think)
mrichar1
commented
4 years ago Hi - yes we were envisaging using the SAN in the client cert to allow/prevent access (i.e checking one presented by the prometheus server when it pulls data from the exporter).
tcolgate
commented
4 years ago So a regex match on the client cert's SAN would work? (this has been suggested before and is what I assumed you wanted, just want to clarify)
mrichar1
commented
4 years ago That would be perfect, yes!
Would it be possible to add server SAN verification to the tls config in this exporter? This would allow us to use our existing certificate setup without having to take extra steps to do verification.
I'm not a go programmer, but after a brief look at the code I think the methods outlined in this blog post would do the job:
https://dev.to/living_syn/validating-client-certificate-sans-in-go-i5p
I'm happy to try and create a PR if that would be useful?