Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

tls: Re-enable checking of CN-ID in server identity verification #5221

Closed
wants to merge 1 commit into from
Closed

tls: Re-enable checking of CN-ID in server identity verification #5221

wants to merge 1 commit into from

Conversation

tmuellerleile
Copy link

RFC 6125 explicitly states that a client "MUST NOT seek a match
for a reference identifier of CN-ID if the presented identifiers
include a DNS-ID, SRV-ID, URI-ID, or any application-specific
identifier types supported by the client", but it MAY do so if
none of the mentioned identifier types (but others) are present.

As certificates with unsupported identifiers in altnames (e. g. email:) are not uncommon, we should be more liberal by resorting to the (deprecated) CN-ID based verification in these cases.

@Nodejs-Jenkins
Copy link

Thank you for contributing this pull request! Here are a few pointers to make sure your submission will be considered for inclusion.

Commit tmuellerleile/node@2ae1963 has the following error(s):

  • First line of commit message must be no longer than 50 characters
  • Commit message must indicate the subsystem this commit changes

The following commiters were not found in the CLA:

  • Tobias Müllerleile

Please see CONTRIBUTING.md for more information

@tmuellerleile
tls: Re-enable check of CN-ID in cert verification
66927ee 
RFC 6125 explicitly states that a client "MUST NOT seek a match
for a reference identifier of CN-ID if the presented identifiers
include a DNS-ID, SRV-ID, URI-ID, or any application-specific
identifier types supported by the client", but it MAY do so if
none of the mentioned identifier types (but others) are present.
@tmuellerleile
Copy link
Author

Fixed commit message wording after Node-Jenkins' hint.

@tmuellerleile
Copy link
Author

It is also of note that all tests in test/simple/test-tls-check-server-identity.js still pass after applying the proposed change.

Furthermore I think that this patch follows the intention of b4b750b by @indutny as the check in line 167:

if (dnsNames.length > 0) matchCN = false;

is basically unnecessary in the current code, since matchCN is previously set to false by the incriminated line 131 if there are any altnames at all (so based on a much weaker condition).

@indutny
Copy link
Member

indutny commented Apr 7, 2013

I did some analysis of what chromium does for certs, I suggest to follow this criterias:

  1. It fallbacks to common name check if there're no DNS names and no IP addresses.

    const bool common_name_fallback = cert_san_dns_names.empty() &&
                                  cert_san_ip_addrs.empty();

  2. If hostname is IP address - it checks against CN only if address is IPv4, otherwise it checks IP altnames.

  3. If hostname is not IP address - it checks against DNS altnames, or CN if common_name_fallback is true.

Therefore this commit looks good to me. Landed with some style fixes in f8bd53bb68216789efaf71e4376b5741f8472b16, thank you!

@indutny indutny closed this Apr 7, 2013
@indutny
Copy link
Member

indutny commented Apr 7, 2013

Backported to v0.8 - 1a95ce5.

@tmuellerleile tmuellerleile mentioned this pull request Apr 12, 2013
Merged
gibfahn pushed a commit to ibmruntimes/node that referenced this pull request Apr 11, 2016
@jasnell
deps: backport 125ac66 from v8 upstream
937ac37 
As requested in nodejs#5221

Original commit message:

  fix debug command processor wrt restart frame.

  R=jkummerow@chromium.org
  BUG=v8:4757
  LOG=N

  Review URL: https://codereview.chromium.org/1700693002

  Cr-Commit-Position: refs/heads/master@{#33983}

PR-URL: nodejs/node#6086
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
gibfahn pushed a commit to ibmruntimes/node that referenced this pull request Apr 27, 2016
@jasnell
deps: backport 125ac66 from v8 upstream
e6e1bf7 
As requested in nodejs#5221

Original commit message:

  fix debug command processor wrt restart frame.

  R=jkummerow@chromium.org
  BUG=v8:4757
  LOG=N

  Review URL: https://codereview.chromium.org/1700693002

  Cr-Commit-Position: refs/heads/master@{#33983}

PR-URL: nodejs/node#6086
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
richardlau pushed a commit to ibmruntimes/node that referenced this pull request May 16, 2016
deps: backport 125ac66 from v8 upstream
1e6833e 
As requested in nodejs#5221

Original commit message:

  fix debug command processor wrt restart frame.

  R=jkummerow@chromium.org
  BUG=v8:4757
  LOG=N

  Review URL: https://codereview.chromium.org/1700693002

  Cr-Commit-Position: refs/heads/master@{#33983}

PR-URL: nodejs/node#6086
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
gibfahn pushed a commit to ibmruntimes/node that referenced this pull request May 25, 2016
deps: backport 125ac66 from v8 upstream
d1fca27 
As requested in nodejs#5221

Original commit message:

  fix debug command processor wrt restart frame.

  R=jkummerow@chromium.org
  BUG=v8:4757
  LOG=N

  Review URL: https://codereview.chromium.org/1700693002

  Cr-Commit-Position: refs/heads/master@{#33983}

PR-URL: nodejs/node#6086
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
gibfahn pushed a commit to ibmruntimes/node that referenced this pull request May 25, 2016
@gibfahn
deps: backport 125ac66 from v8 upstream
ba287e9 
As requested in nodejs#5221

Original commit message:

  fix debug command processor wrt restart frame.

  R=jkummerow@chromium.org
  BUG=v8:4757
  LOG=N

  Review URL: https://codereview.chromium.org/1700693002

  Cr-Commit-Position: refs/heads/master@{#33983}

PR-URL: nodejs/node#6086
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
utterstep pushed a commit to lutik-inc/node that referenced this pull request Jun 1, 2016
deps: backport 125ac66 from v8 upstream
632e6b9 
As requested in nodejs#5221

Original commit message:

  fix debug command processor wrt restart frame.

  R=jkummerow@chromium.org
  BUG=v8:4757
  LOG=N

  Review URL: https://codereview.chromium.org/1700693002

  Cr-Commit-Position: refs/heads/master@{#33983}

PR-URL: nodejs/node#6086
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
richardlau pushed a commit to ibmruntimes/node that referenced this pull request Jun 17, 2016
deps: backport 125ac66 from v8 upstream
232146e 
As requested in nodejs#5221

Original commit message:

  fix debug command processor wrt restart frame.

  R=jkummerow@chromium.org
  BUG=v8:4757
  LOG=N

  Review URL: https://codereview.chromium.org/1700693002

  Cr-Commit-Position: refs/heads/master@{#33983}

PR-URL: nodejs/node#6086
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tmuellerleile @Nodejs-Jenkins @indutny