New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: Wildcard Cerficate Validation Weakness #4658
Labels
Milestone
Comments
The Go code ignores IP address SANs, so the '*.2.3.4' form would have to appear in the CN or as a DNSName SAN. If the user sets the `hostname' of a TLS connection to the string form of an IP address, then we will match it against such a wildcard. However, setting the hostname to an IP address isn't supported. So I think this bug boils down to "we should try parsing the hostname that the user asked us to verify as an IP address and fail immediately if it looks like one". Do you agree? If, in the future, we support IP addresses like that, we would need to be careful to match only against IP address SANs, but we don't currently support that at all. Status changed to WaitingForReply. |
Note that https://golang.org/cl/7277051/ is effectively a Go 1 API regression, since it breaks anybody using net/http/httptest's NewTLSServer and trying to test against it with httptest.(*Server).URL. Could we keep CL 7277051 but white-list certs using "127.0.0.1" or "[::1]" as subjects? That would keep Go 1 users' tests still working. Is that a security problem for any reason? |
This issue was closed by revision 5b20a18. Status changed to Fixed. |
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
Subject Alternative Names in X.509 certificates may include IP addresses. This change adds support for marshaling, unmarshaling and verifying this form of SAN. It also causes IP addresses to only be checked against IP SANs, rather than against hostnames as was previously the case. This reflects RFC 6125. Fixes golang#4658. R=golang-dev, mikioh.mikioh, bradfitz CC=golang-dev https://golang.org/cl/7336046
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
by richmoore44:
The text was updated successfully, but these errors were encountered: