-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tlscommon: update server side verification mode 'full' #242
Conversation
103772a
to
62580ff
Compare
|
62580ff
to
2bbc6ab
Compare
Type: "CERTIFICATE", | ||
Bytes: cert.Leaf.Raw, | ||
}) | ||
require.Errorf(t, err, "failed to encode certificste to PEM") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is nothing to be formatted here:
require.Errorf(t, err, "failed to encode certificste to PEM") | |
require.Error(t, err, "failed to encode certificste to PEM") |
// VerifyFull would attempt to match 'host' (c.ServerName) that is the host | ||
// the client is trying to connect to with a DNS, IP or the CN from the | ||
// client's certificate. Such validation, besides making no sense on the | ||
// server side also causes errors as the client certificate usually does not | ||
// contain a DNS, IP or CN matching the server's hostname. | ||
case VerifyFull, VerifyCertificate: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Conceptually this sounds like an odd default behaviour for me, however I'm not an expert on mTLS.
My main question/concern here is: Is client certificates not containing a hostname a correct behaviour or is it a 'common, but technically wrong practice'?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's the correct behaviour, this check should not be there
2bbc6ab
to
6138278
Compare
💚 Build Succeeded
History
cc @AndersonQ |
What does this PR do?
Updates server side verification mode 'full'
Why is it important?
To remove unnecessary verification
Checklist
Related issues