Package: irssi Version: 0.8.15-1~bpo50+1 Severity: normal Irssi now checks that the name in the certificate of a sever actually matches the name you try to connect to.
It does that by comparing the hostname to the CN and/or the entries in the subjectAltName of the certificate. However, when going through the subjectAltName entires it appears to only look at DNS: entries, not at any existing IP-Address entries. Consider this certificate[0]: | X509v3 Subject Alternative Name:ยท | DNS:somehost-ilo, DNS:somehost-ilo.debian.org, DNS:localhost, IP Address:192.0.2.104 And then in irssi: | /connect -ssl -ssl_verify -ssl_cafile ~/ca-oob.debian.org.crt 192.0.2.104 443 | 10:58 -!- Irssi: Looking up 192.0.2.104 | 10:58 -!- Irssi: Connecting to 192.0.2.104 [192.0.2.104] port 443 | 10:58 -!- Irssi: warning None of the Subject Alt Names in the certificate match hostname '192.0.2.104' | 10:58 -!- Irssi: Connection lost to 192.0.2.104 | 10:58 -!- Irssi: Removed reconnection to server 192.0.2.104 port 443 Irssi probably should check the IP address entries of the cert, if the server hostname has been given as just an IP address. Cheers, weasel 0: it's not from an irc server, but that doesn't matter here. Also, details redacted since it's not available on the public internet anyway. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
