[ 
https://issues.apache.org/jira/browse/PROTON-890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

yanfeng liu updated PROTON-890:
-------------------------------
    Description: 
Reproducing steps:

1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that 
has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.

2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP 
address. This works fine since qpid-0.32-cpp samples can handle IP:x.x.x.x type 
SAN correctly.

3) Run the proton-c messenger sample with the same broker and got erro about 
SSL3 server certificate verification failure... 

By checking the source code of verify_callback() in ssl/openssl.c, we can see 
only GEN_DNSNAME type is supported. Possibly GEN_IPADD type should added like 
below:

{code:title=ssl/openssl.c|borderStyle=solid}

      if (name->type == GEN_IPADD) {
        ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
        if (asn1 && asn1->data && asn1->length) {
          unsigned char *str = (unsigned char *) asn1->data;
          char ip[32];
          int j=0;
          while (j<asn1->length && strlen(ip)<sizeof(ip)) {
            if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
            else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] );
            j++;
          }
          ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip );
          matched = 
(0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
        }
      }
{code}

Regards,
yanfeng
 


  


  was:
Reproducing steps:

1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that 
has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.

2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP 
address. This works fine since qpid-0.32-cpp samples can handle IP:x.x.x.x type 
SAN correctly.

3) Run the proton-c messenger sample with the same broker and got erro about 
SSL3 server certificate verification failure... 

By checking the source code of verify_callback() in ssl/openssl.c, we can see 
only GEN_DNSNAME type is supported. Possibly GEN_IPADD type should added like 
below:

{code:title=ssl/openssl.c|borderStyle=solid}

      if (name->type == GEN_IPADD) {
        ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
        if (asn1 && asn1->data && asn1->length) {
          unsigned char *str = (unsigned char *) asn1->data;
          char ip[32];
          int j=0;
          while (j<asn1->length && strlen(ip)<sizeof(ip)) {
            if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
            else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] );
            j++;
          }
          ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip );
          matched = !strncmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname));
        }
      }
{code}

Regards,
yanfeng
 


  



> adding subjectAltName (SAN) support to proton-c 0.9.1
> -----------------------------------------------------
>
>                 Key: PROTON-890
>                 URL: https://issues.apache.org/jira/browse/PROTON-890
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: proton-c
>    Affects Versions: 0.9
>         Environment: Ubuntu 12.04 x86-64
>            Reporter: yanfeng liu
>            Priority: Minor
>
> Reproducing steps:
> 1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that 
> has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
> 2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP 
> address. This works fine since qpid-0.32-cpp samples can handle IP:x.x.x.x 
> type SAN correctly.
> 3) Run the proton-c messenger sample with the same broker and got erro about 
> SSL3 server certificate verification failure... 
> By checking the source code of verify_callback() in ssl/openssl.c, we can see 
> only GEN_DNSNAME type is supported. Possibly GEN_IPADD type should added like 
> below:
> {code:title=ssl/openssl.c|borderStyle=solid}
>       if (name->type == GEN_IPADD) {
>         ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
>         if (asn1 && asn1->data && asn1->length) {
>           unsigned char *str = (unsigned char *) asn1->data;
>           char ip[32];
>           int j=0;
>           while (j<asn1->length && strlen(ip)<sizeof(ip)) {
>             if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
>             else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] 
> );
>             j++;
>           }
>           ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip 
> );
>           matched = 
> (0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
>         }
>       }
> {code}
> Regards,
> yanfeng
>  
>   



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to