libnetconf2 icon indicating copy to clipboard operation
libnetconf2 copied to clipboard
verified publisher icon CESNET

[TLS] server identity check is missing

Open j1y3p4rk opened this issue 4 years ago • 1 comments

Hi Michal,

For the TLS secure communication, NETCONF client MUST check the identity of server according to RFC 7589.

I found that libnetconf2 (Netopeer2-CLI) client is not behaving as it's supposed to be. It does not check the validation of hostname in server certificate.

As far as I know, with this line, OpenSSL wouldn't perform 'hostname validation' check.

Could you consider or do you have any plan to update the code so it can comply with NETCONF over TLS specification?

j1y3p4rk avatar Aug 11 '21 11:08 j1y3p4rk

Fine, the check was added but there are little options in libssl to customize it (make it less strict) and the error message is really brief so I expect users using this feature will no longer be able to connect and will not know why.

michalvasko avatar Sep 03 '21 11:09 michalvasko