subjectAltName verification #48
Comments
|
I'll take a look. It's a reasonable feature, and I'm not opposed. I can't promise I'll get to it in the next week though. I'd, of course, encourage you to give it a try and raise a PR. You get the added glory of your name in the AUTHORS file. |
|
I should have checked what you actually want here. I /think/ you want to be able to limit verification based on the SAN presented in the clients cert? (the example you linked to is just enabling a check that checks the cert usage I think) |
|
Hi - yes we were envisaging using the SAN in the client cert to allow/prevent access (i.e checking one presented by the prometheus server when it pulls data from the exporter). |
|
So a regex match on the client cert's SAN would work? (this has been suggested before and is what I assumed you wanted, just want to clarify) |
|
That would be perfect, yes! |
Would it be possible to add server SAN verification to the tls config in this exporter? This would allow us to use our existing certificate setup without having to take extra steps to do verification.
I'm not a go programmer, but after a brief look at the code I think the methods outlined in this blog post would do the job:
https://dev.to/living_syn/validating-client-certificate-sans-in-go-i5p
I'm happy to try and create a PR if that would be useful?
The text was updated successfully, but these errors were encountered: