[
https://issues.apache.org/jira/browse/PROTON-890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
yanfeng liu updated PROTON-890:
-------------------------------
Description:
Reproducing steps:
1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that
has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP
address with trusted_certificate parameter specified. This works fine since
qpid-0.32-cpp samples can handle IP:x.x.x.x type SAN correctly.
3) Run a proton-c messenger API based sample with the same broker and
trusted_certificate and got error about SSL3 server certificate verification
failure due to specified server IP in AMQP URL doesn't appear in the SAN DNS of
the server certificate.
By checking the source code of verify_callback() in ssl/openssl.c, we can see
that only GEN_DNSNAME type is supported. With the code fragement below, we can
have GEN_IPADD supported as well:
{code:title=ssl/openssl.c|borderStyle=solid}
if (name->type == GEN_IPADD) {
ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
if (asn1 && asn1->data && asn1->length) {
unsigned char *str = (unsigned char *) asn1->data;
char ip[32];
int j=0;
while (j<asn1->length && strlen(ip)<sizeof(ip)) {
if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] );
j++;
}
ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip );
matched =
(0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
}
}
{code}
Regards,
yanfeng
was:
Reproducing steps:
1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that
has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP
address. This works fine since qpid-0.32-cpp samples can handle IP:x.x.x.x type
SAN correctly.
3) Run the proton-c messenger sample with the same broker and got erro about
SSL3 server certificate verification failure...
By checking the source code of verify_callback() in ssl/openssl.c, we can see
only GEN_DNSNAME type is supported. Possibly GEN_IPADD type should added like
below:
{code:title=ssl/openssl.c|borderStyle=solid}
if (name->type == GEN_IPADD) {
ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
if (asn1 && asn1->data && asn1->length) {
unsigned char *str = (unsigned char *) asn1->data;
char ip[32];
int j=0;
while (j<asn1->length && strlen(ip)<sizeof(ip)) {
if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] );
j++;
}
ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip );
matched =
(0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
}
}
{code}
Regards,
yanfeng
> adding subjectAltName (IP) support to proton-c 0.9.1
> ----------------------------------------------------
>
> Key: PROTON-890
> URL: https://issues.apache.org/jira/browse/PROTON-890
> Project: Qpid Proton
> Issue Type: Improvement
> Components: proton-c
> Affects Versions: 0.9
> Environment: Ubuntu 12.04 x86-64
> Reporter: yanfeng liu
> Priority: Minor
>
> Reproducing steps:
> 1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that
> has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
> 2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP
> address with trusted_certificate parameter specified. This works fine since
> qpid-0.32-cpp samples can handle IP:x.x.x.x type SAN correctly.
> 3) Run a proton-c messenger API based sample with the same broker and
> trusted_certificate and got error about SSL3 server certificate verification
> failure due to specified server IP in AMQP URL doesn't appear in the SAN DNS
> of the server certificate.
> By checking the source code of verify_callback() in ssl/openssl.c, we can see
> that only GEN_DNSNAME type is supported. With the code fragement below, we
> can have GEN_IPADD supported as well:
> {code:title=ssl/openssl.c|borderStyle=solid}
> if (name->type == GEN_IPADD) {
> ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
> if (asn1 && asn1->data && asn1->length) {
> unsigned char *str = (unsigned char *) asn1->data;
> char ip[32];
> int j=0;
> while (j<asn1->length && strlen(ip)<sizeof(ip)) {
> if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
> else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j]
> );
> j++;
> }
> ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip
> );
> matched =
> (0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
> }
> }
> {code}
> Regards,
> yanfeng
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
