Allow setting the server hostname for TLS connection#83
Open
ameir wants to merge 1 commit intommatczuk:masterfrom
Open
Allow setting the server hostname for TLS connection#83ameir wants to merge 1 commit intommatczuk:masterfrom
ameir wants to merge 1 commit intommatczuk:masterfrom
Conversation
…r hostname in `server_addr` doesn't match one of the names in the cert, then the connection fails. This PR allows you to specify an allowed hostname. The use-case for this is that we have auto-generated certs per node in AWS, but are establishing the tunnel through an NLB. The NLB hostname does not match what is in the cert, so the connection fails without this patch.
Owner
In my view this is a generally expected behavior and adding the change would be confusing for other users. I believe your problem shall be solved by a better cert generation and DNS service registration. |
Author
|
In my company, each host automatically gets a cert generated by our
internal CA, and with an internal common name. That common name is not
publicly resolvable, and we are not allowed to use any certificates other
than these, as there's automation around revocation and renewal and such.
The hosts can be made reachable via a load balancer, which will have an
entirely different hostname. We need a way to override the name that's
checked in the cert, and this patch accomplishes it. I think lots of folks
use internal CAs, and this should definitely help.
…On Sun, Jul 15, 2018, 2:11 AM Michał Matczuk ***@***.***> wrote:
If the server hostname in server_addr doesn't match one of the names in
the cert, thenthe connection fails.
In my view this is a generally expected behavior and adding the change
would be confusing for other users.
I believe your problem shall be solved by a better cert generation and DNS
service registration.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#83 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAW2OkAZCGyM9dJ2_uWPoT3BLLDOxi3Aks5uGt0YgaJpZM4VKt6g>
.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When using SAN certs, hostname verification is enforced. If the server hostname in
server_addrdoesn't match one of the names in the cert, thenthe connection fails. This PR allows you to specify an allowed hostname. The use-case for this is that we have auto-generated certs per node in AWS,but are establishing the tunnel through an NLB. The NLB hostname does not match what is in the cert, so the connection fails without this patch.