Inbound TLS Certificate SAN Verification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Inbound TLS Certificate SAN Verification

Osama Al-Hassani

Hi all,

 

I have an enquiry regarding SAN verification when enforcing TLS on inbound connections.

 

When verifying client certificates we are only able to receive CN data, and cannot get a hold of the SANs.  The request data sent to the policy sever does not contain any SAN attributes.

 

Is there a way to achieve this, possibly via  a configuration parameter?

 

Many thanks,

Osama

 

 


Osama Al-Hassani

Software Engineer

Telephone +44 118 903 8607

Twitter@clearswift

<img border="0" width="134" height="44" id="clearswiftLogo" src="https://www.clearswift.com/sites/all/themes/clearswift2/img/sigfiles/clearswift-ruag- cyber-security-logo-email.png" alt="Clearswift">

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | United Kingdom

Adaptive Adaptive Security & Data Loss Prevention solutions for email, web, cloud apps and endpoint. On-premise and Hosted deployment options available.

Secure Sharing, Redaction and Data Loss Prevention with Clearswift. Learn more here.

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats.

To find out more about Clearswift’s solutions please visit www.clearswift.com

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Inbound TLS Certificate SAN Verification

Viktor Dukhovni
On Wed, Jun 14, 2017 at 08:47:31PM +0000, Osama Al-Hassani wrote:

> When verifying client certificates we are only able to receive CN data,
> and cannot get a hold of the SANs.  The request data sent to the policy
> server does not contain any SAN attributes.

That's correct.  The subject alternative names of client certificates
are not exposed via the policy protocol.

> Is there a way to achieve this, possibly via  a configuration parameter?

No.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Inbound TLS Certificate SAN Verification

Osama Al-Hassani
Is there any reason for this?

Can we submit an enhancement request, or a patch?

Thanks,
Osama

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
Sent: 15 June 2017 01:39
To: [hidden email]
Subject: Re: Inbound TLS Certificate SAN Verification

On Wed, Jun 14, 2017 at 08:47:31PM +0000, Osama Al-Hassani wrote:

> When verifying client certificates we are only able to receive CN
> data, and cannot get a hold of the SANs.  The request data sent to the
> policy server does not contain any SAN attributes.

That's correct.  The subject alternative names of client certificates are not exposed via the policy protocol.

> Is there a way to achieve this, possibly via  a configuration parameter?

No.

--
        Viktor.

----------------------------------------------------------------------------------------------
Message Processed by the Clearswift V4 Engineering Dogfood Secure Email Gateway

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats.

To find out more about Clearswift’s solutions please visit www.clearswift.com

Loading...