Timo Sirainen <tss@iki.fi> (Di 13 Okt 2015 21:02:59 CEST): …
On connection setup from a client the director connects to the selected backend. But it seems (not checked in the source yet), that for SSL certificate verification the director doesn't know the original host name anymore. The certificate's CN gets compared to the IP address the director connects to.
Right. The hostnames are lost immediately at director startup. I've never really thought about needing this functionality for director, since they're usually in the same trusted network with backends..
That's it… "ususally". And additionally local policy says that we should use secured connections whenever credentials are transported … And since the director uses either a master password or the credentials obtained from the client, we want to use secured connections. And using TLS w/o verified certs is better than nothing, but it's far from being perfect.
I see:
a) pass the host *names* to the director too, for CN verification
purpose
May be in struct mail_host could be a field for the original
hostname we used to obtain the adress(es)?
or b) allow some kind of certificate pinning, that is loose the implied relation CN <=> hostname
Should I create certificates with IP address in SAN? (Any hint about the correct syntax for the openssl.conf is welcome). Or is there any chance that this is fixed already or will be fixed in the near future or even better, that it's my fault?
I guess that could work for now. No idea about how to do such certificates.
I'll try that, but I think it's not a solution as soon as we reach out for "official" certs. And because it puts more details about the infrastructure into the configuration than would be necessary.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -