sudo_logsrvd: Add option to disable client host name check

The tls_checkhost setting in the [server] section can be used to
disable host name and IP address checking in the client's certificate
when tls_checkpeer is enabled.  This makes it possible to use a
single certificate for multiple clients and avoids DNS lookups
when the client connects.

Author: millert

docs/sudo_logsrvd.conf.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2019-2025 Todd C. Miller <[email protected]>
+.\" Copyright (c) 2019-2026 Todd C. Miller <[email protected]>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd November 29, 2025
+.Dd February 21, 2026
 .Dt SUDO_LOGSRVD.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -183,6 +183,29 @@ database is used.
 The path to the server's certificate file, in PEM format.
 The default value is
 .Pa /etc/ssl/sudo/certs/logsrvd_cert.pem .
+.It tls_checkhost = bool
+If true and
+.Em tls_checkpeer
+is also enabled,
+.Nm sudo_logsrvd
+will perform a reverse DNS lookup of the client's IP address for TLS
+connections.
+In order to be considered valid, either the IP address or the resolved
+hostname must be present in the client certificate's Subject
+Alternative Name (SAN), or the host name must match the Common Name
+(CN) if no SAN is present.
+.Pp
+Disabling
+.Em tls_checkhost
+makes it possible to use the same client certificate on multiple
+systems, regardless of the client host name or IP address.
+.Pp
+The
+.Em tls_checkhost
+setting only has an effect when
+.Em tls_checkpeer
+is also enabled.
+Defaults to true.
 .It tls_checkpeer = bool
 If true, client certificates will be validated by
 .Nm sudo_logsrvd ;
@@ -193,11 +216,10 @@ authority, the
 .Em tls_cacert
 setting must be set to a CA bundle that contains the CA certificate
 used to generate the client certificate.
-To validate the certificate,
-.Nm sudo_logsrvd
-will perform a reverse DNS lookup of the client's IP address.
-In order to be considered valid, either the IP address or the
-resolved hostname must be present in the client certificate.
+Validation of the client's IP address and host name is controlled
+by the
+.Em tls_checkhost
+setting.
 The default value is
 .Em false .
 .It tls_ciphers_v12 = string
@@ -357,6 +379,16 @@ The path to the server's certificate file, in PEM format.
 The default is to use the value specified in the
 .Sx server
 section.
+.It tls_checkhost = bool
+If true and
+.Em tls_checkpeer
+is also enabled,
+.Nm sudo_logsrvd
+will perform a reverse DNS lookup of the client's IP address for TLS
+connections.
+The default is to use the value specified in the
+.Sx server
+section.
 .It tls_checkpeer = bool
 If true, the relay host's certificate will be validated by
 .Nm sudo_logsrvd ;
@@ -840,6 +872,11 @@ Sudo log server configuration file
 # Defaults to true.
 #tls_verify = true
 
+# If true, client certificates being validated by the server must have a
+# matching host name or IP address in the Subject Alternative Name (SAN).
+# Defaults to true.  Only has an effect when tls_checkpeer is also true.
+#tls_checkhost = true
+
 # If true, client certificates will be validated by the server;
 # clients without a valid certificate will be unable to connect.
 # By default, client certs are not checked.

examples/sudo_logsrvd.conf.in

@@ -39,6 +39,11 @@
 # Defaults to true.
 #tls_verify = true
 
+# If true, client certificates being validated by the server must have a
+# matching host name or IP address in the Subject Alternative Name (SAN).
+# Defaults to true.  Only has an effect when tls_checkpeer is also true.
+#tls_checkhost = true
+
 # If true, client certificates will be validated by the server;
 # clients without a valid certificate will be unable to connect.
 # By default, client certs are not checked.

logsrvd/logsrvd.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2025 Todd C. Miller <[email protected]>
+ * Copyright (c) 2019-2026 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1339,14 +1339,13 @@ start_protocol(struct connection_closure *closure)
 
 #if defined(HAVE_OPENSSL)
 static int
-verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
+verify_peer(int preverify_ok, X509_STORE_CTX *ctx, bool check_host)
 {
-    HostnameValidationResult result;
     struct connection_closure *closure;
     SSL *ssl;
     X509 *current_cert;
     X509 *peer_cert;
-    debug_decl(verify_peer_identity, SUDO_DEBUG_UTIL);
+    debug_decl(verify_peer, SUDO_DEBUG_UTIL);
 
     current_cert = X509_STORE_CTX_get_current_cert(ctx);
 
@@ -1376,15 +1375,30 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
     ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
     closure = (struct connection_closure *)SSL_get_ex_data(ssl, 1);
 
-    result = validate_hostname(peer_cert, closure->name, closure->ipaddr);
-    if (result != MatchFound) {
-	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
-	    "hostname validation failed");
-	debug_return_int(0);
+    if (check_host) {
+	const HostnameValidationResult result =
+	    validate_hostname(peer_cert, closure->name, closure->ipaddr);
+	if (result != MatchFound) {
+	    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+		"hostname validation failed");
+	    debug_return_int(0);
+	}
     }
     debug_return_int(1);
 }
 
+static int
+verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
+{
+    return verify_peer(preverify_ok, ctx, true);
+}
+
+static int
+verify_peer_identity_nohost(int preverify_ok, X509_STORE_CTX *ctx)
+{
+    return verify_peer(preverify_ok, ctx, false);
+}
+
 /*
  * Set the TLS verify callback to verify_peer_identity().
  */
@@ -1397,9 +1411,15 @@ set_tls_verify_peer(void)
 
     if (server_ctx != NULL && logsrvd_conf_server_tls_check_peer()) {
 	/* Verify server cert during the handshake. */
-	SSL_CTX_set_verify(server_ctx,
-	    SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-	    verify_peer_identity);
+	if (logsrvd_conf_server_tls_check_host()) {
+	    SSL_CTX_set_verify(server_ctx,
+		SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+		verify_peer_identity);
+	} else {
+	    SSL_CTX_set_verify(server_ctx,
+		SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+		verify_peer_identity_nohost);
+	}
     }
     if (relay_ctx != NULL && logsrvd_conf_relay_tls_check_peer()) {
 	/* Verify relay cert during the handshake. */
@@ -1552,7 +1572,7 @@ new_connection(int sock, bool tls, const union sockaddr_union *sa_un,
             goto bad;
         }
 
-	if (logsrvd_conf_server_tls_check_peer()) {
+	if (logsrvd_conf_server_tls_check_host()) {
 	    /* Hostname to verify in certificate during handshake. */
 	    char hbuf[NI_MAXHOST];
 	    const int error = getnameinfo(&sa_un->sa, salen, hbuf,

logsrvd/logsrvd.h

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2022 Todd C. Miller <[email protected]>
+ * Copyright (c) 2019-2022, 2025-2026 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -218,6 +218,7 @@ struct timespec *logsrvd_conf_relay_connect_timeout(void);
 struct timespec *logsrvd_conf_relay_timeout(void);
 time_t logsrvd_conf_relay_retry_interval(void);
 #if defined(HAVE_OPENSSL)
+bool logsrvd_conf_server_tls_check_host(void);
 bool logsrvd_conf_server_tls_check_peer(void);
 SSL_CTX *logsrvd_server_tls_ctx(void);
 bool logsrvd_conf_relay_tls_check_peer(void);

logsrvd/logsrvd_conf.c

@@ -112,6 +112,7 @@ static struct logsrvd_config {
 	char *tls_dhparams_path;
 	char *tls_ciphers_v12;
 	char *tls_ciphers_v13;
+	int tls_check_host;
 	int tls_check_peer;
 	int tls_verify;
 	SSL_CTX *ssl_ctx;
@@ -265,6 +266,12 @@ logsrvd_server_tls_ctx(void)
     return logsrvd_config->server.ssl_ctx;
 }
 
+bool
+logsrvd_conf_server_tls_check_host(void)
+{
+    return logsrvd_config->server.tls_check_host;
+}
+
 bool
 logsrvd_conf_server_tls_check_peer(void)
 {
@@ -781,6 +788,20 @@ cb_tls_verify(struct logsrvd_config *config, const char *str, size_t offset)
     debug_return_bool(true);
 }
 
+static bool
+cb_tls_checkhost(struct logsrvd_config *config, const char *str, size_t offset)
+{
+    int *p = (int *)((char *)config + offset);
+    int val;
+    debug_decl(cb_tls_checkhost, SUDO_DEBUG_UTIL);
+
+    if ((val = sudo_strtobool(str)) == -1)
+	debug_return_bool(false);
+
+    *p = val;
+    debug_return_bool(true);
+}
+
 static bool
 cb_tls_checkpeer(struct logsrvd_config *config, const char *str, size_t offset)
 {
@@ -1118,6 +1139,7 @@ static struct logsrvd_config_entry server_conf_entries[] = {
     { "tls_dhparams", cb_tls_dhparams, offsetof(struct logsrvd_config, server.tls_dhparams_path) },
     { "tls_ciphers_v12", cb_tls_ciphers12, offsetof(struct logsrvd_config, server.tls_ciphers_v12) },
     { "tls_ciphers_v13", cb_tls_ciphers13, offsetof(struct logsrvd_config, server.tls_ciphers_v13) },
+    { "tls_checkhost", cb_tls_checkhost, offsetof(struct logsrvd_config, server.tls_check_host) },
     { "tls_checkpeer", cb_tls_checkpeer, offsetof(struct logsrvd_config, server.tls_check_peer) },
     { "tls_verify", cb_tls_verify, offsetof(struct logsrvd_config, server.tls_verify) },
 #endif
@@ -1662,6 +1684,7 @@ logsrvd_conf_alloc(void)
 	goto bad;
     }
     config->server.tls_verify = true;
+    config->server.tls_check_host = true;
     config->server.tls_check_peer = false;
 #endif