Re: ports and ipv6 brackets in certificate subjects

Thu, 05 Oct 2006 08:54:52 -0700 

Nelson B wrote:

Ulf Weltman wrote:
Hi all. I'm writing some code that prepares compact host:port addresses for certificate CN checking. This is to handle an application that keeps a host list like "foo.example.com 192.168.1.1:2389 [fe80::230:6eff:fe4b:703] [fe80::230:6eff:fe4b:703]:3389". 


After browsing through various RFCs I'm still not sure what rules my 
address parsing should follow.  Does anyone know the answers or have a 
pointer to where I can find them?


Above, you seem to be asking how to store addresses in your application.
Below, you seem to be asking how they are stored in certificates.

I'll answer the questions about what appear in certs.


1) Are appended ports actually allowed in the subjectAltName or CN?  


No.



How about the return value from SSL_RevealURL( fd ) ?  Will that contain 
anything except a hostname?





2) When an IPv6 literal address is in the CN or the subjectAltName, and 
if the answer to question 1 is that ports are not allowed, then are the 
square brackets that may surround IPv6 addresses still allowed?


RFC 2818 only allows IP addresses in SubjectAltNames (SANs), not in
Subject name CommonName attributes.

As defined in RFC 3280, IP addresses in SANs are stored in binary form as
"octet strings", that is, as 4-byte IPv4 or 16-byte IPv6 binary addresses,
not as strings of decimal ASCII characters separated by dots, nor
hexadecimal ASCII characters separated by colons.  So, you won't see
brackets around IP addresses in certificates, because they aren't stored
as printable strings in certificates.



Does that mean we need to convert them to their string representation 
before we call CERT_VerifyCertName(cert, hostname)?




But even though the RFCs define how IP addresses are represented in
certificates, I think you'll not find any real CAs that issue certs with
IP addresses in them.  There are a lot of reasons for that.  And it's
not safe to use DNS lookups or reverse DNS lookups as part of the server
identity verification process.  So, IMO, your best bet is to compare
the host names with the host names in the certs, and leave IP addresses
out of the server identity verification picture.


_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to