Re: ktls-utils: question about certificate verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On May 31, 2024, at 1:23 PM, Olga Kornievskaia <aglo@xxxxxxxxx> wrote:
> 
> Hi Chuck,
> 
> I've ran into the following problem while trying to mount on RHEL9.4
> client using xprtsec=tls. After some debugging I have determined that
> the reason mount by DNS name was failing is because gnutls insisted on
> having in SubjectAltName=DNS:foo.bar.com. Having a certificate that
> has a DNS name in the "CN" and then had "SubjectAltName=IP:x.x.x.x"
> was failing. But when I created a certificate with
> "SubjectAltName:IP:x.x.x.x:DNS:x.x.x.x" then I could mount (or just
> having DNS: works too but in that case mounting by IP doesn't work).
> 
> Here's the output from tlshd when it fail (with SubjectAltName "IP")::
> 
> tlshd[260035]: gnutls(3): self-signed cert found: subject
> `EMAIL=kolga@xxxxxxxxxx,CN=rhel94.nas.lab,OU=NFS,O=Netapp,L=Ann
> Arbor,ST=MI,C=US', issuer
> `EMAIL=kolga@xxxxxxxxxx,CN=rhel94.nas.lab,OU=NFS,O=Netapp,L=Ann
> Arbor,ST=MI,C=US', serial 0x751ad911565945cce5d29d1c206450538f496b90,
> RSA key 2048 bits, signed using RSA-SHA256, activated `2024-05-31
> 15:07:53 UTC', expires `2024-06-30 15:07:53 UTC',
> pin-sha256="Efzu7ftve1SHxBVAIwf81jwAasQ0M3j5qWbEVuM8X8I="
> tlshd[260035]: gnutls(3): ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:111
> tlshd[260035]: gnutls(3): ASSERT: x509.c[get_alt_name]:2011
> tlshd[260035]: gnutls(3): ASSERT:
> verify-high.c[gnutls_x509_trust_list_verify_crt2]:1615
> tlshd[260035]: gnutls(3): ASSERT: auto-verify.c[auto_verify_cb]:51
> tlshd[260035]: gnutls(3): ASSERT: handshake.c[_gnutls_run_verify_callback]:3018
> tlshd[260035]: gnutls(3): ASSERT:
> handshake-tls13.c[_gnutls13_handshake_client]:139
> tlshd[260035]: Certificate owner unexpected.
> 
> Question: is ktls-utils requirement for IP presence in SubjectAltName
> now requires both?

I'm not sure I understand.

If you want to mount by DNS name, the certificate has to have
a matching DNS name in it.

If you want to mount by IP address, the certificate has to have
a matching IP address in it.

The reason for this is to avoid any potential interaction with
a DNS server which might be compromised.

--
Chuck Lever
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux