SpitchAG
commented
7 months ago closing this issue because i just found out the nice enableExtendedCertificateVerification() context method, that does the job
Closed SpitchAG closed 7 months ago
SpitchAG
commented
7 months ago closing this issue because i just found out the nice enableExtendedCertificateVerification() context method, that does the job
Describe the bug
Currently, when SSL server asks for a client certificate, and receive it (e.g relaxed mode) it ends up calling the verify(hostname) method which may call X509_check_host / ip ssl method. For client certficate verification i am questioning the pertinence of this check , because the peerHostname in this case woud be an IP, address and having CN/SAN set to IPs in certificate is not something very usable. Settings SAN to DNSnames would fail mutual TLS because currently i believe there is no automatic ip to dns resolver,
In fact some customer using mutual TLS use CN as some "authorized user" , which makes the verify(hostname) even more questionable ...
just wondering if it is not better to call verify(hostname) only for client mode (so a server wont call verify(hostame) ?
To Reproduce perform mutual TLS (server mode = strict) using client certificates with CN/SAN set to DNSnames (*.mydomain.name) and observe client certificate verify fails miserably :(
Expected behavior Mutual TLS shall success
Logs
Screenshots
Please add relevant environment information:
Additional context