Christian Heimes wrote: > On 2015-10-09 13:21, Jan Orel wrote: >> Hello, >> >> this patch removes (IMHO) redundat check in cert_show, which fails when >> host tries to re-submit certificate of different host/service which he >> can manage. >> >> I also reported the bug here: >> https://bugzilla.redhat.com/show_bug.cgi?id=1269089 >> >> I tired to run the tests as well and it doesn't seem to break anything. >> Any feedpack appriciated. > > Jan Cholasta, you implemented the check in 2011. What purpose does it have? > > hostname == CN has been deprecated by RFC 2818 for some time, see > https://tools.ietf.org/html/rfc2818#section-3.1 The current check is > also not sufficient to prevent forgery. Browsers and modern TLS > libraries completely ignore CN when a dNSName SAN extension is present.
He just tweaked a pylint error, I did this code. The check isn't perfect (by far) but I don't think forgery is an issue. We're talking about retrieving a public cert, not doing a handshake. I think checking just the common name is ok because of the way IPA issues server certs. I'm not sure if SAN would even come into play in the case of checking this ACL. The only way I see this as being a problem is if a new profile is created for issuing server certs where the CN of the target host isn't in the subject. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code