Hi, if my understanding is correct, for a TLS enabled Foundationdb cluster, fdb verifies that the client certificate is issued via the local trusted certificate authority and it has the same values as provided by the server in the tls_verify_peers flag. The tls_verify_peers flag takes limited options like CN, C, L, etc.
The issue we are facing is that our certificate issuing authority provides the same values for C, L, ST and O to all the certificates it issues across our organization because of which anyone with a valid certificate can access our database. We don’t want to check against CN as our clients might be located on different hosts and we don’t see a field named “UID” in our certificates (Is there something we are missing?)
We do, however, have a serial number which is unique and are okay using the same certificate for both server and clients (is that possible? If yes, can we somehow provide serial number in the verify_peers string?)
Ideally, we are hoping that there be some additional sort of authentication like a password string which only legitimate clients are aware of and there be an additional flag in the client command for providing the password. Is it possible?