[syslog-ng] SSL certificate verification
Peter Eckel
lists at eckel-edv.de
Thu Mar 10 10:39:44 CET 2011
> You have a point here. I guess doing a reverse and then a forward lookup
> would not be bad, even though that would mean an extra DNS lookup when
> the connection is established. And since this is only an _additional_
> restriction to having a trusted key, this may be useful.
I don't think the cost of an reverse-then-forward lookup should be a problem. After all, we are using TCP when TLS is involved anyway, so the connections are permanent in most cases and the overhead of two DNS lookups is neglegible. We need an option to make the matching of the double lookup a strict requirement (or do it at all - with DNSSEC, it's not really necessary), though - there are cases where several IP addresses have a PTR to the same host name, so the lookup of the host name would probably return a different IP.
I also second Matt's injection that putting the IP address in subjectAltName can be a major maintenance headache in larger environments. My current environment is a rather static and well-defined one, but keeping track of hundreds of hosts with their IPs would be a challenge, apart from the fact that generating certificates automatically would require some additional infrastructure in order to keep the process secure.
Regards,
Peter.
More information about the syslog-ng
mailing list