On Fri, Feb 16, 2018 at 12:51:41PM -0600, Ian Pilcher via FreeIPA-devel wrote: > I have an older NETGEAR switch that has annoying habit of using its IP > address in URLs that it sends back to the browser. The result can be > seen here: > > https://www.penurio.us/oops.png > > I would like to add the switch's IP address to the Subject Alt Name > extension of its TLS certificate, which is not currently supported by > FreeIPA. > > I'm interested in trying to add this capability, if there's a chance > that my work will be accepted. My initial thought is that an IP address > should only be accepted if all of the following are true: > > 1. One of the hostnames in the Subject Alt Name (or possibly the Common > Name) ultimately resolves to that IP address, possibly via one or > more CNAMEs. > > 2. All of the DNS records (A, AAAA, CNAME) involved in #1 are managed by > this IPA instance. > > 3. The reverse DNS record for the IP address is managed by this IPA > instance, and it points to an A or AAAA record that is managed by > this IPA instance (and contains the correct IP address). > > Does this make sense? > We have discussed this many times in the past. Each time it has gone in the "too hard" basket because of concerns around DNS views - the IPA-managed DNS view seen by IPA clients may differ from external DNS views. Also IP addresses may change much more rapidly than the lifetime of a certificate, etc.
Ultimately, the same problems exist for any kind of subject name and the only practical mitigation is short-lived certificates. With that in mind, given that Ian's proposal is scoped to only validatate IP Address altnames against data that are explicitly managed in FreeIPA, I don't object. I'm interested to hear other views. Cheers, Fraser _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
