On Mon, Aug 25, 2014 at 07:18:09AM -0400, Hubert Kario wrote:
> ----- Original Message -----
> > From: "John Denker via RT" <[email protected]>
> > Cc: [email protected]
> > Sent: Sunday, August 24, 2014 11:45:33 AM
> > Subject: [openssl.org #3502] nameConstraints bypass bug
> >
> > At present, it is pathetically easy to trick openssl into
> > bypassing nameConstraints. All you need to do is put
> > some evil DNS name in the common name and not provide
> > any subjectAltName list.
> >
> > I checked; this bug is present in openssl-1.0.1i;
> > openssl s_client happily connects to bypass.jdenker.com
> > in defiance of my CA's nameConstraints. This affects
> > widely-used apps including curl, lynx, and wget, although
> > I only checked them as of 1.0.1f.
> >
> > If you want a live demonstration, try the following:
> > wget http://www.av8n.com/av8n.com_Root_CA.pem
> > echo bde600da763f4105ceb64913d0ed5838 av8n.com_Root_CA.pem | md5sum -c -
> > SSL_CERT_FILE=av8n.com_Root_CA.pem curl
> > https://bypass.jdenker.com:444/hello.txt
> > Observed behavior: Command succeeds, prints "Hello, world!"
> > Desired behavior: Should fail, due to violation of nameConstraints.
> > Similarly, the following succeeds, but should not:
> > :| openssl s_client -CAfile av8n-root-ca-cert.pem -connect
> > bypass.jdenker.com:444
>
> I don't think s_client does any host name checking by default, even in master
> branch. Have you tried using `-verify_hostname bypass.jdenker.com`, optionally
> with `-verify_name ssl_server`?
I don't think that's what he's talking about, and it should always
be rejected even when not checking the hostname you're connecting
too.
What I understood is that the CA was constrainted that it only
allows signing certificates in the *.foo domain, but that openssl
allowed to sign in the *.bar domain if the certificate doesn't
contain the SubjectAltName extention. The check nameConstraint is
only checked for the SubjectAltNames.
But the test site only seems to send. The test site doesn't
seem to be sending all certificates in the chain, but the mail
mentions the you should import the root CA that they pointed
to. It contain:
X509v3 Name Constraints: critical
Permitted:
DNS:av8n.com
DNS:av8n.net
DNS:av8n.org
DNS:.av8n.com
DNS:.av8n.net
DNS:.av8n.org
bypass.jdenker.com doesn't match any of those, so it should be
rejected. But when testing it, I get
CONNECTED(00000003)
depth=1 O = av8n.com, OU = Root CA, CN = av8n.com Root CA, C = US, emailAddress
= [email protected]
verify return:1
depth=0 C = US, CN = bypass.jdenker.com
verify return:1
---
Certificate chain
0 s:/C=US/CN=bypass.jdenker.com
i:/O=av8n.com/OU=Root CA/CN=av8n.com Root CA/C=US/[email protected]
[...]
Verify return code: 0 (ok)
Kurt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
