verify_client_name

Specifies a semi-colon separated list of names to use in peer name verification, or disables peer name verification.

verify_client_name | vfy_clt_nm = Type:PeerName{; TypeN:PeerNameN} | {no | n | 0}

Arguments

  • Type:—keyword that specifies the type or format of the following peer name; one of DNS, IP, URI, or Email. The keyword is case-insensitive.
  • PeerName—peer name of the specified type, for example ABC0123.mycompany.com (DNS), 123.0.2.34 (IP), urn:uniface:urouter:10.3.01 (URI), or info@mycompany.com (email).

Use

Set this option in the TLS server assignment file. It must be set if verify_client is yes.

Description

When client verification is enabled, by default, the TLS connector verifies that the name of the client matches the name in its certificate. You must specify one or more names that the TLS connector can match to a name in the client's certificate. Alternatively, you can disable client name verification.

You can provide multiple DNS, IP and Email items in the list of names. Names specified by verify_client_name must be preceded by a matching prefix, for example, dns:a.mycompany.com or ip:197.68.0.1.

When trying to match a peer name against a name in the certificate, the TLS connector checks the name against the Subject Alternative Names of that type. If any name specified by verify_client_name matches a name in the certificate, the validation succeeds and the connection is established.

If a DNS name or IP address is specified and no match is found in the Subject Alternative Names, the Subject Common Name field is also checked.

For URIs, the TLS connector performs a case-insensitive comparison of the whole string against the Subject Alternative Names of type URI. A URI can be a URL (location) or URN (name) of a resource. It cannot include commas and semi-colons, which are used as separators in Uniface.

An Email address is checked against the Subject Alternative Names of type Email address, and against the Subject emailAddress.

DNS names may contain an asterisk (*) as wildcard in the left-most segment of the name, representing the host name.

IPv6 addresses that appear different but are equivalent, such as 0::1 and ::1, will match.

Specifying Names for Client Peer Verification

;urouter.asn
 [NET_SETTINGS]
 CheckClient=verify_client=yes, verify_client_name=dns:*.a_company.com;ip:197.68.0.1, ca_certificate=clcert.crt

Disabling Client Name Verification

You can disable client name verification by specifying verify_client_name = no (or its equivalent). 

;urouter.asn
 [NET_SETTINGS]
 CheckClient=verify_client=yes, verify_client_name=no, ca_certificate=clcert.crt