Authentication of clients using TLS

Hi, if my understanding is correct, for a TLS enabled Foundationdb cluster, fdb verifies that the client certificate is issued via the local trusted certificate authority and it has the same values as provided by the server in the tls_verify_peers flag. The tls_verify_peers flag takes limited options like CN, C, L, etc.

The issue we are facing is that our certificate issuing authority provides the same values for C, L, ST and O to all the certificates it issues across our organization because of which anyone with a valid certificate can access our database. We don’t want to check against CN as our clients might be located on different hosts and we don’t see a field named “UID” in our certificates (Is there something we are missing?)

We do, however, have a serial number which is unique and are okay using the same certificate for both server and clients (is that possible? If yes, can we somehow provide serial number in the verify_peers string?)

Ideally, we are hoping that there be some additional sort of authentication like a password string which only legitimate clients are aware of and there be an additional flag in the client command for providing the password. Is it possible?

There is no password-based authentication option available. The closest one way to hack this would be to set up your verify peers string to only accept one certificate from all servers and clients, and then have your certificate require a password. (see --tls_password in Configuring TLS).

If you need the ability to match against other fields in the certificate, I’d be happy to review a PR that adds additional field names to the TLS implementation. :slightly_smiling_face: