Shield Https Client Authentication Hostname Verification


(aditya tripathi) #1

Hostname verification (hostname in SubjectAlternativeName of the X509 Certificate) is done for the server(or hostname in URL where the client is connecting to) and not for the client.

I have an https client to ES and using Self Signed Certificates with client authentication on. I am using PKI realm and have mapped the DN to a role. Things work fine for me. The problem is that it would be great if there was some way to authenticate the hostname of the client in the client certificate.

The problem, I imagine, without client's hostname verification is that another client or user of ES can also accidentally or maliciously create a certificate with same DN and have access to someone else's ES index as long as that certificate gets imported to ES node's keystore. Assuming this is a trusted certificate from another client.

Is there anyway Shield provides to verify hostname in the client certificate?

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.