[syslog-ng] SSL certificate verification
Balazs Scheidler
bazsi at balabit.hu
Sat Apr 30 22:51:20 CEST 2011
On Thu, 2011-03-10 at 10:39 +0100, Peter Eckel wrote:
> > You have a point here. I guess doing a reverse and then a forward lookup
> > would not be bad, even though that would mean an extra DNS lookup when
> > the connection is established. And since this is only an _additional_
> > restriction to having a trusted key, this may be useful.
>
> I don't think the cost of an reverse-then-forward lookup should be a problem. After all, we are using TCP when TLS is involved anyway, so the connections are permanent in most cases and the overhead of two DNS lookups is neglegible. We need an option to make the matching of the double lookup a strict requirement (or do it at all - with DNSSEC, it's not really necessary), though - there are cases where several IP addresses have a PTR to the same host name, so the lookup of the host name would probably return a different IP.
>
> I also second Matt's injection that putting the IP address in subjectAltName can be a major maintenance headache in larger environments. My current environment is a rather static and well-defined one, but keeping track of hundreds of hosts with their IPs would be a challenge, apart from the fact that generating certificates automatically would require some additional infrastructure in order to keep the process secure.
anyone with the interest of implementing this?
--
Bazsi
More information about the syslog-ng
mailing list