SSL Alternative Subject Name validation

Maxim Dounin mdounin at mdounin.ru
Sat Aug 6 13:29:55 UTC 2016 

Hello!

On Thu, Aug 04, 2016 at 05:07:35PM +0200, Bart Warmerdam wrote:

> Hello,
> 
> According to src/event/ngx_event_openssl.c (line ~ 3094)
> 
>     /*
>      * As per RFC6125 and RFC2818, we check subjectAltName extension,
>      * and if it's not present - commonName in Subject is checked.
>      */
> 
> 
> But according to the https://tools.ietf.org/html/rfc6125 the validation this
> case is more restrictive:
> 
>   0  If a subjectAltName extension of type dNSName is present in the
>       certificate, it SHOULD be used as the source of the server's
>       identity.
> 
> This means that if e.g. an email address (GEN_EMAIL) is part of the
> subjectAltName, and no DNSName is present, the CN name is never checked in
> this case. I'd expect the CN to be checked in this case. The jump to the
> failed label should only be done if there was at least one DNSName. Do you
> share this view and do you accept a patch for this?

The quote above seems to be from a previous RFC as incorporated in 
RFC 6125, Appendix B.  This section is non-normative.

On the other hand, section 6.3 says:

      Security Warning: A client MUST NOT seek a match for a reference
      identifier of CN-ID if the presented identifiers include a DNS-ID,
      SRV-ID, URI-ID, or any application-specific identifier types
      supported by the client.

Moreover, use of CN-ID is strictly optional as per section 6.2.1:

   o  The list MAY include a CN-ID, mainly for the sake of backward
      compatibility with deployed infrastructure.

That is, not checking CN at all is still perfectly compatible with 
RFC 6125.  The above is additionally summarized in the section 
6.4.4, "Checking of Common Names".

The current code only checks CN if there are no subjectAltName 
extension at all, and this approach looks safe while still 
providing backward compatibility.  I don't think this should be 
changed unless there are good practical reasons to do so.

Note well that the code in question exists only to support old 
versions of OpenSSL.  With OpenSSL 1.0.2+ the X509_check_host() 
function will be used instead.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list