Ulf Weltman wrote: > Hi all. I'm writing some code that prepares compact host:port addresses > for certificate CN checking. This is to handle an application that > keeps a host list like "foo.example.com 192.168.1.1:2389 > [fe80::230:6eff:fe4b:703] [fe80::230:6eff:fe4b:703]:3389". > > After browsing through various RFCs I'm still not sure what rules my > address parsing should follow. Does anyone know the answers or have a > pointer to where I can find them?
Above, you seem to be asking how to store addresses in your application. Below, you seem to be asking how they are stored in certificates. I'll answer the questions about what appear in certs. > 1) Are appended ports actually allowed in the subjectAltName or CN? No. > 2) When an IPv6 literal address is in the CN or the subjectAltName, and > if the answer to question 1 is that ports are not allowed, then are the > square brackets that may surround IPv6 addresses still allowed? RFC 2818 only allows IP addresses in SubjectAltNames (SANs), not in Subject name CommonName attributes. As defined in RFC 3280, IP addresses in SANs are stored in binary form as "octet strings", that is, as 4-byte IPv4 or 16-byte IPv6 binary addresses, not as strings of decimal ASCII characters separated by dots, nor hexadecimal ASCII characters separated by colons. So, you won't see brackets around IP addresses in certificates, because they aren't stored as printable strings in certificates. But even though the RFCs define how IP addresses are represented in certificates, I think you'll not find any real CAs that issue certs with IP addresses in them. There are a lot of reasons for that. And it's not safe to use DNS lookups or reverse DNS lookups as part of the server identity verification process. So, IMO, your best bet is to compare the host names with the host names in the certs, and leave IP addresses out of the server identity verification picture. -- Nelson B 12345678901234567890123456789012345678901234567890123456789012345678901234567890 00000000011111111112222222222333333333344444444445555555555666666666677777777778 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
