Re: [HACKERS] implement subject alternative names support for SSL connections

Mon, 15 Sep 2014 03:46:13 -0700 

On Mon, Sep 15, 2014 at 10:23 AM, Alexey Klyukin <al...@hintbits.com> wrote:
> On Fri, Sep 12, 2014 at 4:20 PM, Heikki Linnakangas
> <hlinnakan...@vmware.com> wrote:
>
>>> Hmm. If that's what the browsers do, I think we should also err on the
>>> side of caution here. Ignoring the CN is highly unlikely to cause anyone
>>> a problem; a CA worth its salt should not issue a certificate with a CN
>>> that's not also listed in the SAN section. But if you have such a
>>> certificate anyway for some reason, it shouldn't be too difficult to get
>>> a new certificate. Certificates expire every 1-3 years anyway, so there
>>> must be a procedure to renew them anyway.
>>
>>
>> Committed, with that change, ie. the CN is not checked if SANs are present.

Actually, I disagree with the way the patch ignores the CN. Currently,
it skips the
CN unconditionally if the SubjectAltName section is present. But what
RFC 6125 says
is:

"If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity.  Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used."

This means that we have to check that at least one dNSName resource is
present before
rejecting to examine the CN. Attached is a one-liner (excluding
comments) that fixes this.

Regards,
Alexey

diff --git a/src/interfaces/libpq/fe-secure-openssl.c 
b/src/interfaces/libpq/fe-secure-openssl.c
new file mode 100644
index 98d02b6..dd4fab8
*** a/src/interfaces/libpq/fe-secure-openssl.c
--- b/src/interfaces/libpq/fe-secure-openssl.c
*************** verify_peer_name_matches_certificate(PGc
*** 626,637 ****
                sk_GENERAL_NAME_free(peer_san);
        }
        /*
!        * If there is no subjectAltName extension, check the Common Name.
         *
!        * (Per RFC 2818 and RFC 6125, if the subjectAltName extension is 
present,
         * the CN must be ignored.)
         */
!       else
        {
                X509_NAME  *subject_name;
  
--- 626,637 ----
                sk_GENERAL_NAME_free(peer_san);
        }
        /*
!        * If there is no subjectAltName extension of type dNSName, check the 
Common Name.
         *
!        * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type 
dNSName is present,
         * the CN must be ignored.)
         */
!       if (names_examined == 0)
        {
                X509_NAME  *subject_name;
  

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to