common icon indicating copy to clipboard operation
common copied to clipboard

Published 20 hours ago verified publisher icon weaveworks

Further secure TLS communications

Open saroshali-dbx opened this issue 3 years ago • 1 comments

Currently when using TLS, the servers will accept requests from any client that has a certificate signed by the specified Certificate Authority. As such, I'd like to see custom server certificate validation supported. This will help enforce deny-by-default.

I'd like to be able to pass a flag, such as -cert-allowed-cn, that can be used to create a custom VerifyPeerCertificate (part of the crypto/tls package) and can be passed as a callback directly to the tls config. All this function needs to do is verify that the seen common-name is the same as the expected common-name.

Willing to submit a PR if the maintainers think this is a good idea. Thanks!

saroshali-dbx avatar Jun 06 '22 14:06 saroshali-dbx

Thanks, I see you opened a PR in the upstream Prom library.

bboreham avatar Jul 04 '22 10:07 bboreham