Skip to content

Support trusting only a set of certificate hashes #10523

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Support trusting only a set of certificate hashes#10523
Labels
area:configauthAuthentication relatedenhancementNew feature or request
@sinkingpoint

Description

@sinkingpoint
sinkingpoint
opened on Jul 3, 2024

Is your feature request related to a problem? Please describe.
When using publicly signed client certificates, we need some way to limit the keys that we trust (otherwise any publicly signed cert would work). This is generally achieved by specifying a set of SHA(1|256) fingerprints to trust (e.g. https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/56#tls-options-trusted-keys ).

Describe the solution you'd like
I'd like to introduce a new option into configtls, TrustedKeys []string, which would introduce a VerifyPeerCertificate callback to the TLS config that rejects the TLS connection if the key hash is not in the list of trusted keys

Describe alternatives you've considered
We could use privately signed certs, but publicly signed client certs is a relatively common occurance

Metadata

Assignees

No one assigned

    Labels

    area:configauthAuthentication relatedenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions