Details
Description
We currently aren't correctly handling hostname verification on master-generated (ipki) certificates. This has big consequences in terms of the security of the system, and what active attackers with access to a cert can achieve. Couple of points that came out of discussions:
- We currently don't plumb the remote hostname into the client negotiation, which will probably become necessary to avoid a reverse-DNS lookup when verifying the server's cert.
- The master should be validating that the hostname in a tserver's CSR matches the Kerberos principal of the connection's authentication.