Issue #6493 has been reported by djmitche (Dustin Mitchell). ---------------------------------------- Bug #6493: OpenSSL::SSL ignores DN if subjectAltName is specified https://bugs.ruby-lang.org/issues/6493 Author: djmitche (Dustin Mitchell) Status: Open Priority: Normal Assignee: Category: Target version: ruby -v: trunk In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally *not* check the DN if any subjectAltName extensions are found. RFC3280 says <pre> The subject alternative names extension allows additional identities to be bound to the subject of the certificate. ... </pre> which suggests that it contains *additional* identities, and thus does not exclude the subject. This functionality was added way back in 2005, r7970: * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket#post_connection_check): new method. and moved around several times since then.
on 2012-05-25 00:47
on 2012-05-25 01:25
Issue #6493 has been updated by drbrain (Eric Hodel). Category set to ext Status changed from Open to Assigned Assignee set to MartinBosslet (Martin Bosslet) Target version set to 2.0.0 ---------------------------------------- Bug #6493: OpenSSL::SSL ignores DN if subjectAltName is specified https://bugs.ruby-lang.org/issues/6493#change-26808 Author: djmitche (Dustin Mitchell) Status: Assigned Priority: Normal Assignee: MartinBosslet (Martin Bosslet) Category: ext Target version: 2.0.0 ruby -v: trunk In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally *not* check the DN if any subjectAltName extensions are found. RFC3280 says <pre> The subject alternative names extension allows additional identities to be bound to the subject of the certificate. ... </pre> which suggests that it contains *additional* identities, and thus does not exclude the subject. This functionality was added way back in 2005, r7970: * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket#post_connection_check): new method. and moved around several times since then.
on 2012-05-25 02:48
Issue #6493 has been updated by MartinBosslet (Martin Bosslet). Status changed from Assigned to Feedback Priority changed from Normal to Low RFC 3280 was obsoleted by 5280 and there, the wording is slightly different: 8<-------- 4.2.1.6. Subject Alternative Name The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. >8-------- But I think we should orient ourselves at RFC 6125 [1], which explicitly addresses how to do hostname verification for TLS services. There, it says: 8<------ 6.4.4. Checking of Common Names As noted, a client MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client. >8------ Therefore current behavior is in line with this and correct in doing so. But what's missing is verification of the service type parts and interpretation of the otherName attributes of type srvName (RFC4985), I could imagine adding support in the future, especially if CAs start to follow these recommendations. But I'll mark this as low prio for now if nobody objects. [1] http://tools.ietf.org/html/rfc6125 ---------------------------------------- Bug #6493: OpenSSL::SSL ignores DN if subjectAltName is specified https://bugs.ruby-lang.org/issues/6493#change-26811 Author: djmitche (Dustin Mitchell) Status: Feedback Priority: Low Assignee: MartinBosslet (Martin Bosslet) Category: ext Target version: 2.0.0 ruby -v: trunk In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally *not* check the DN if any subjectAltName extensions are found. RFC3280 says <pre> The subject alternative names extension allows additional identities to be bound to the subject of the certificate. ... </pre> which suggests that it contains *additional* identities, and thus does not exclude the subject. This functionality was added way back in 2005, r7970: * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket#post_connection_check): new method. and moved around several times since then.
on 2013-02-18 13:46
Issue #6493 has been updated by mame (Yusuke Endoh). Target version changed from 2.0.0 to next minor ---------------------------------------- Bug #6493: OpenSSL::SSL ignores DN if subjectAltName is specified https://bugs.ruby-lang.org/issues/6493#change-36521 Author: djmitche (Dustin Mitchell) Status: Feedback Priority: Low Assignee: MartinBosslet (Martin Bosslet) Category: ext Target version: next minor ruby -v: trunk In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally *not* check the DN if any subjectAltName extensions are found. RFC3280 says <pre> The subject alternative names extension allows additional identities to be bound to the subject of the certificate. ... </pre> which suggests that it contains *additional* identities, and thus does not exclude the subject. This functionality was added way back in 2005, r7970: * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLSocket#post_connection_check): new method. and moved around several times since then.
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.