Comments (4)
Hi, seems like you are right and it should work like you expected. I started working on the changes and they should be in the devel
branch soon.
from netopeer2.
Hello,
our understanding of the cert-to-name
process is that the client's username is always determined from the client's (peer's) certificate. The YANG description is not very clear in this regard. Furthermore, with your expectations different clients would be able to share the same username and we did not think this was an actual use case. Also you are using quite an old version and if I recall correctly there have been some improvements to the cert-to-name
mechanism, yet this logic of obtaining the username solely from the peer's certificate remains.
We may have interpreted the YANG description incorrectly and you may be right. My question is why would you need to obtain the username from a CA certificate instead of the peer's? Are there any resources that would further support your expectations?
from netopeer2.
Thank you for response.
Security administrators are encouraged to make use of
certificates with subjectAltName fields that can be mapped to
names so that a single root CA certificate can allow all
child certificates' subjectAltName fields to map directly to
a name via a 1:1 transformation.";
RFC 6353 (section 7) and cert-to-name
yang pointing to use CA to have all child certificates to have common username/privileges.
Use case is to have a common privileges if child certificates signed by CA1 for example.
from netopeer2.
@Roytak Pls let us know if you have any comments or suggestions.
Making changes in nc_tls_cert_to_name
and nc_tlsclb_verify
to derive name as per the RFC 6353 (section 7) and cert-to-name yang description. I will update once validated.
from netopeer2.
Related Issues (20)
- Configuration Modification Not Successful HOT 15
- Callback event "rpc" with ID 1 processing timed out. HOT 2
- subscription of "ietf-netconf-notifications" failed HOT 5
- revision in xmlns support HOT 6
- How command searchpath works HOT 15
- How to use an IPv6 address to connect to netopeer2-server HOT 4
- netconf connection stays in “close_wait" HOT 13
- netopeer2-server crash after SSH socket error: connection timed out. HOT 5
- Error with get-schema format not supported when connecting to netopeer2 server HOT 5
- Unable to connect using TLS in netopeer2-2.2.28 HOT 4
- Unknown element HOT 4
- netopeer2-cli cmd_establishpush() cannot be called multiple times for serving multiple notifications through separate callbacks HOT 7
- edit-config usage HOT 1
- Failed to establish remote TLS connection using self-signed certificate HOT 1
- common.sh uses iana*.yang files. Where are they coming from?
- netopeer2.conf and pam_nologin.so does not exist in Yocto Scarthgap HOT 3
- netopeer2-server: /home/ubuntn/libyang-2.0.112/src/parser_xml.c:696: lydxml_subtree_r: Assertion `xmlctx->status == LYXML_ELEM_CLOSE' failed. Aborted (core dumped) HOT 1
- TLS server cipher regarding HOT 1
- Complete example for callback mechanism e.g when changing/reading some field via netopeer2-server HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from netopeer2.