ServerTlsContext: allow disabling verify peer name #112
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thomas-Gelf
force-pushed
the
fix/allow-to-verify-peer-wo-name
branch
2 times, most recently
from
b18d6ca to
1ff27dc
Compare
Motivation: servers accepting connections from trusted peers do not know the expected peer name in advance. Therefore, it must be possible to accept incoming connections (validating their client certificate) without being forced to specify an expected client name. You do not need this when using amphp/socket to run your very own public web server, but it is a requirement when running every other kind of service based on trusted client certificates (with more than one client). Similar (but not the same) use cases applies with clients, that should connect to trusted peers, w/o knowing their name in advance. This patch tries to address this, while preserving compatibility with the current behaviour.
Thomas-Gelf
force-pushed
the
fix/allow-to-verify-peer-wo-name
branch
from
1ff27dc to
ff30eac
Compare
|
Hint: with the last force-push I applied a similar patch for ClientTlsContext too. Faced this issue there too, and keeping them similar makes sense anyway. |
|
How does your setup look like? How are the certificates validated? |
|
Hi @kelunik, custom CA / trust store directory. Verify_peer rejects every connection not signed by a trusted CA. Peer names are not known at connection setup time, especially not on the server side - verify_peer_name is therefore a problem. Once verify_peer allowed connection setup, we grant dedicated permissions based on certificate subject/name or custom certificate extensions. Cheers, |
|
@kelunik: if you have related concerns/doubts or different opinions, please let me know |
kelunik
reviewed
Dec 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation: servers accepting connections from trusted peers do not know the expected peer name in advance. Therefore, it must be possible to accept incoming connections (validating their client certificate) without being forced to specify an expected client name.
You do not need this when using amphp/socket to run your very own public web server, but it is a requirement when running every other kind of service based on trusted client certificates (with more than one client).
This patch tries to address this, while preserving compatibility with the current behaviour.