In case examples of problems with address presentation are useful, here is one more.
RFC 5280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" section 4.2.1.6. "Subject Alternative Name" says that IPv6 addresses can be contained in subjectAltName. No news there. When actually using a certificate that has an IPv6 address the following behaviour was seen with various SSL related components: Perl library Net::SSLeay returns the IPv6 subjectAltName in this format: fdf1:a315:9433:27:0:0:0:27 Perl Socket6 library contains inet_ntop that returns address in this format: fdf1:a315:9433:27::27 OpenSSL utility that dumps the certificate in text format shows the address like this: FDF1:A315:9433:27:0:0:0:27 Just recently I was debugging a perl program that had a problem with certificate verification. Certificate verification failed when the certificate presented by peer had subjectAltName with IPv6 address fdf1:a315:9433:27:0:0:0:27 and this did not match the address where the connection came from: fdf1:a315:9433:27::27. Same address but different presentation was the cause here too since the comparison was done using text strings. Thanks for documenting these issues! -- Heikki Vatiainen, Arch Red Oy +358 44 087 6547 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
