I've just started experimenting with new TLS feature. One thing that almost immediattely popped out.
It would be good to have "TLS Allowed DN" and "TLS Allowed Peer Certificate" options (or something shorter for the second one). The first option (TLS Allowed DN) would be there since CN might not be unique enough (actually, I was a bit surprised that initial implementation was checking the CN, not DN). Especially on sites that already use TLS for other things and have established nameing conventions. The CN field often contains only host name, and it is common practice that it is shared by all certificates issued for services running on that host (for example, web server and bacula file daemon running on same machine might have different certificates, signed by same CA with same CN). On the other hand, DN is uniqe within single CA. It would be nice if the CA DN could also be specified (that would solve uniqeness problem in case when there is several trusted CAs). It would be nice if it was possible to match only on part of DN (for example, like in Apache configuration file). But I guess this would additionally complicate things (although, I guess for some people it would be usefull feature). The second option (TLS Allowed Peer Certificate) would allow usage of self-signed certificates for authentication. Setting up CA might be too much to ask for small sites. Using the "TLS Allowed Peer Certificate", server would check if the file pointed by that option contains same certificate (public key) as the one that client presented. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
