Daniel P. Berrange wrote:
So the question is, is there any meaningful security to be gained by having the server check the commonName field of the client's certificate against the client's incoming IP addr whether v4 or v6 ? Perhaps the only thing the server should be using the client cert's commonName field for is lookups in its whitelist of allowed clients ? Have you any idea what, say Exim or Apache, do for validation when getting a client cert ? Do they bother to check the commonName against the client's source addr, or do they merely use it for access control lookups ?
I'm sure the extra security afforded must be very marginal indeed. Perhaps protection against IP address spoofing attacks? However those aren't very common since operating systems started to choose decent sequence numbers, and in any case while it might be possible to spoof a three-way TCP handshake, I wouldn't want to try spoofing a TLS handshake...
So I don't know, but I'll take a look at the source for exim to see what they do.
Rich.