[jira] [Updated] (PROTON-890) adding subjectAltName (IP) support to proton-c 0.9.1

Wed, 02 May 2018 15:07:24 -0700 

     [ 
https://issues.apache.org/jira/browse/PROTON-890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Ross updated PROTON-890:
-------------------------------
    Labels: patch tls  (was: patch ssl)

> adding subjectAltName (IP) support to proton-c 0.9.1
> ----------------------------------------------------
>
>                 Key: PROTON-890
>                 URL: https://issues.apache.org/jira/browse/PROTON-890
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: proton-c
>    Affects Versions: 0.9
>         Environment: Ubuntu 12.04 x86-64
>            Reporter: yanfeng liu
>            Priority: Minor
>              Labels: patch, tls
>             Fix For: proton-c-future
>
>
> Reproducing steps:
> 1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that 
> has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
> 2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP 
> address with trusted_certificate parameter specified. This works fine since 
> qpid-0.32-cpp samples can handle IP:x.x.x.x type SAN correctly.
> 3) Run a proton-c messenger API based sample with the same broker and 
> trusted_certificate and got error about SSL3 server certificate verification 
> failure due to specified server IP in AMQP URL doesn't appear in the SAN DNS 
> of the server certificate. 
> By checking the source code of verify_callback() in ssl/openssl.c, we can see 
> that only GEN_DNSNAME type is supported. With the code fragement below, we 
> can have GEN_IPADD supported as well:
> {code:title=ssl/openssl.c|borderStyle=solid}
>       if (name->type == GEN_IPADD) {
>         ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
>         if (asn1 && asn1->data && asn1->length) {
>           unsigned char *str = (unsigned char *) asn1->data;
>           char ip[32];
>           int j=0;
>           while (j<asn1->length && strlen(ip)<sizeof(ip)) {
>             if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
>             else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] 
> );
>             j++;
>           }
>           ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip 
> );
>           matched = 
> (0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
>         }
>       }
> {code}
> Regards,
> yanfeng
>  
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to