At present, it is pathetically easy to trick openssl into bypassing nameConstraints. All you need to do is put some evil DNS name in the common name and not provide any subjectAltName list.
I checked; this bug is present in openssl-1.0.1i; openssl s_client happily connects to bypass.jdenker.com in defiance of my CA's nameConstraints. This affects widely-used apps including curl, lynx, and wget, although I only checked them as of 1.0.1f. If you want a live demonstration, try the following: wget http://www.av8n.com/av8n.com_Root_CA.pem echo bde600da763f4105ceb64913d0ed5838 av8n.com_Root_CA.pem | md5sum -c - SSL_CERT_FILE=av8n.com_Root_CA.pem curl https://bypass.jdenker.com:444/hello.txt Observed behavior: Command succeeds, prints "Hello, world!" Desired behavior: Should fail, due to violation of nameConstraints. Similarly, the following succeeds, but should not: :| openssl s_client -CAfile av8n-root-ca-cert.pem -connect bypass.jdenker.com:444 Compare and contrast: firefox properly complains; see below. Also compare: The following succeeds, as it should: SSL_CERT_FILE=av8n.com_Root_CA.pem curl https://cloud.av8n.com/hello.txt If anybody is interested, I can provide the config files that generate the certificates in question. You can easily find additional discussion of this bug; https://www.google.com/search?q=x509+%22name+constraints%22+bypass leads to http://www.openwall.com/lists/oss-security/2013/08/12/4 ============ Note that in contrast, the bypass bug has been fixed in Mozilla NSS. https://bugzilla.mozilla.org/show_bug.cgi?id=394919 When I try the bypass trick on firefox 31.0, it throws an appropriate error. >>> firefox https://bypass.jdenker.com:444/hello.txt > Secure Connection Failed > > An error occurred during a connection to bypass.jdenker.com:444 > The Certifying Authority for this certificate is not permitted > to issue a certificate with this name. > > (Error code: sec_error_cert_not_in_name_space) The user is not even given the option of continuing past the error. So evidently this is considered more serious than a run-of-the-mill problem with an unrecognized issuer. =========== Additional discussion of why this is important has already been posted to the openssl-dev list; see http://marc.info/?l=openssl-dev&m=140873436313689&w=2 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
