[syslog-ng] SSL certificate verification

Gergely Nagy algernon at balabit.hu
Sun May 1 00:03:52 CEST 2011


Balazs Scheidler <bazsi at balabit.hu> writes:

> On Thu, 2011-03-10 at 10:39 +0100, Peter Eckel wrote:
>> > You have a point here. I guess doing a reverse and then a forward lookup
>> > would not be bad, even though that would mean an extra DNS lookup when
>> > the connection is established. And since this is only an _additional_ 
>> > restriction to having a trusted key, this may be useful.
>> 
>> I don't think the cost of an reverse-then-forward lookup should be a
>> problem. After all, we are using TCP when TLS is involved anyway, so
>> the connections are permanent in most cases and the overhead of two
>> DNS lookups is neglegible. We need an option to make the matching of
>> the double lookup a strict requirement (or do it at all - with
>> DNSSEC, it's not really necessary), though - there are cases where
>> several IP addresses have a PTR to the same host name, so the lookup
>> of the host name would probably return a different IP.
>> 
>> I also second Matt's injection that putting the IP address in
>> subjectAltName can be a major maintenance headache in larger
>> environments. My current environment is a rather static and
>> well-defined one, but keeping track of hundreds of hosts with their
>> IPs would be a challenge, apart from the fact that generating
>> certificates automatically would require some additional
>> infrastructure in order to keep the process secure.
>
> anyone with the interest of implementing this?

*raises a hand*

Unless someone else beats me to it, of course. I'll see if I can squeeze
this into my afternoon.

-- 
|8]



More information about the syslog-ng mailing list