Samba and SSL
sharpe at ns.aus.com
Mon Jan 25 15:57:20 GMT 1999
now I have got the bit between my teeth.
At the moment, the only thing that the SSL support in Samba does is check
if the certificate presented is valid.
However, it seems that the next step is to check that the common name
matches in some sense the DNS name of the entity presenting the certificate.
Eg, we might have a parameter check remote cert = <DNS subset>
so, check remote cert = .mydom.com fred.yourdom.com
would cause Samba to reject remote certificates that did not match one of
these. In the case of .mydom.com, names like sys1.mydom.com would match.
Now, one needs to be careful as well in checking the DNS name. One should
take the IP address and back translate it, and then forward translate it,
and insist on authorative responses etc, and maybe ask a number of DNS
servers for the answers.
Richard Sharpe, sharpe at ns.aus.com, NIC-Handle:RJS96
NS Computer Software and Services P/L,
Ph: +61-8-8281-0063, FAX: +61-8-8250-2080,
Samba (Team member), Linux, Apache, Digital UNIX, AIX, C, ...
More information about the samba-technical