You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Would you consider adding a feature to match tls.permittedpeer fingerprints with hostnames?
Currently if you have a list of peers using omrelp to write to a "master" node, which is using imrelp and tls.authmode="fingerprint" with a list of tls.permittedpeer fingerprints, any client peer can masquerade as any other client.
To avoid this we can check if $hostname and $fromhost-ip match, but it would be more robust to check against the fingerprint.
Maybe it's possible to populate a $fingerprint variable with the connection's TLS fingerprint?
Or have a hash for tls.permittedpeer with hostname -> fingerprint to automatically drop messages (or log separately perhaps) for hostname/fingerprint mismatch?
Thanks.
The text was updated successfully, but these errors were encountered:
Would you consider adding a feature to match tls.permittedpeer fingerprints with hostnames?
Currently if you have a list of peers using omrelp to write to a "master" node, which is using imrelp and tls.authmode="fingerprint" with a list of tls.permittedpeer fingerprints, any client peer can masquerade as any other client.
To avoid this we can check if $hostname and $fromhost-ip match, but it would be more robust to check against the fingerprint.
Maybe it's possible to populate a $fingerprint variable with the connection's TLS fingerprint?
Or have a hash for tls.permittedpeer with hostname -> fingerprint to automatically drop messages (or log separately perhaps) for hostname/fingerprint mismatch?
Thanks.
The text was updated successfully, but these errors were encountered: