#125 verify CommonName of client certificates with basic_station backend

chirpstack / chirpstack-gateway-bridge

ChirpStack Gateway Bridge abstracts Packet Forwarder protocols into Protobuf or JSON over MQTT.

https://www.chirpstack.io

MIT License

422 stars 270 forks source link

#125 verify CommonName of client certificates with basic_station backend #129

Closed sa-wilson closed 5 years ago

sa-wilson commented 5 years ago

Adds support for #125 (Require certificate CommonName to match EUI for basic_station backend)

I've tested this locally with my own build of basic_station on a gateway and it doesn't appear to break regular TLS connections (with verify_cn set to false), or non-TLS connections.

brocaar commented 5 years ago

Thanks @sa-wilson :+1:

One question I have is if the verify_cn option should be introduced at all or this should always happening when the Basic Station is using a client certificate. As I have not yet seen the Basic Station being used in production environments together with LoRa Server, I don't think introducing this validation would cause any trouble.

If I would make this integration again, I would make this CN validation mandatory :slightly_smiling_face:

sa-wilson commented 5 years ago

I'm good with making CommonName validation mandatory with client certificates.

I was going for the "don't break anything" approach, but if you're fine with making that mandatory I think it's a good idea for security. Especially if you're going to the effort of setting up a CA and generating client certificates in the first place.