-
Anushree Prakash B authored
NOT RESPECTED WITH --SSL-VERIFY-SERVE DESCRIPTION =========== When connecting to a host with ssl-mode=VERIFY_IDENTITY, it does not inspect the IPs provided in the Subject Alternative Name. This can result in SSL certificate validation failure even for valid IPs. ANALYSIS ======== For openssl versions 1.0.2 and greater, an X509v3 extension is used, "Subject Alternative Name" that supports multiple hosts. However, prior to this "Subject: CN=hostname" is used which can only specify single host name. The names provided in the Subject Alternative Name field should also be inspected while establishing a connection. FIX: ==== Appropriate X509 certificate matching functions should be called while verifying the server certificate using openssl versions 1.0.2+.
Anushree Prakash B authoredNOT RESPECTED WITH --SSL-VERIFY-SERVE DESCRIPTION =========== When connecting to a host with ssl-mode=VERIFY_IDENTITY, it does not inspect the IPs provided in the Subject Alternative Name. This can result in SSL certificate validation failure even for valid IPs. ANALYSIS ======== For openssl versions 1.0.2 and greater, an X509v3 extension is used, "Subject Alternative Name" that supports multiple hosts. However, prior to this "Subject: CN=hostname" is used which can only specify single host name. The names provided in the Subject Alternative Name field should also be inspected while establishing a connection. FIX: ==== Appropriate X509 certificate matching functions should be called while verifying the server certificate using openssl versions 1.0.2+.
Loading