On 08/09/2023 15:50, Christoph via Pdns-users wrote:
- does it validate the server certificate? how do I configure the name
when performing certificate verification?
Not answering your questions about PDNS recursor specifically, but I'll
just point out that 1.1.1.1:853 and 1.0.0.1:853 both have valid signed
certificates with IP SANs, so certificate validation can be performed
with IP address only.
$ openssl s_client -connect 1.1.1.1:853
...
Verify return code: 0 (ok)
Decoding the certificate with openssl x509 -noout -text:
X509v3 Subject Alternative Name:
DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com,
DNS:one.one.one.one, IP Address:1.0.0.1, IP Address:1.1.1.1, IP
Address:162.159.36.1, IP Address:162.159.46.1, IP
Address:2606:4700:4700:0:0:0:0:1001, IP
Address:2606:4700:4700:0:0:0:0:1111, IP
Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400
...
For the same reason, using https://1.1.1.1/ in your browser also works.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
