[openssl-users] x509_config nameConstraints

Ben Humpert ben at an3k.de
Tue May 12 14:56:38 UTC 2015


I love that when it happens :)

2015-05-12 16:56 GMT+02:00 Ben Humpert <ben at an3k.de>:
> Ok, after plenty of testing and some googling: the name constraints
> extension is ... improvable. I ran plenty of tests but it looks like
> that the extension is not very well implemented in todays browsers.
>
> I have attached three txt files (DOS format) with the settings and
> results of each test run. Between each test the browsers cache, etc.
> was completely cleared and the browser got restarted. I validated the
> used leaf certificates using serial number / hash and the signing CA
> hash between each test run.
>
> I used "certificate warning" if an error is shown but the user is
> allowed to continue browsing and "certificate error" if the user is
> NOT allowed to continue.
>
> Results:
> - Internet Explorer 11 does not understand the name IP in the
> subjectAltName extension. However it understands the name DNS.
> - Internet Explorer 11 just knows one certificate warning "This
> website's address doesn't match the address in the security
> certificate" regardless of why the certificate is invalid and no error
> at all.
>
> - (Test Run A.txt) nameConstraints extension NOT present
>   - everything is fine
>
> - (Test Run B.txt) nameConstraints extension present with
> permitted;DNS and permitted;IP
>   - OpenSSL s_client throws "Verify return code: 51 (unsupported name
> constraint type)" whenever the name IP is present in the
> subjectAltName extension. It does not do so when the name DNS is used
> or when no subjectAltName extension is present at all. See Test B1,
> B5, B8 and compare with Test B2, B3, B7
>   - OpenSSL s_client throws "Verify return code: 47 (permitted subtree
> violation)" while there is no violation. See Test B2
>   - OpenSSL s_client does not check for nameConstraints violation in
> CN at all. See Test B7, B10
>   - Firefox does NOT check for nameConstraints violation in CN if
> subjectAltName is present. See Test B5
>   - Firefox just throws a warning "ssl_error_bad_cert_domain" instead
> of an error when the certificate is used on a domain / ip address
> which is not specified in the certificate. See Test B3, B4
>   - Chrome throws an error "Server's certificate is invalid" when
> there is no subjectAltName present but the ip address matches the
> certificate CN. See Test B4
>
> - (Test Run C.txt) nameConstraints extension present with
> permitted;DNS and permitted;IP and permitted;dirName
>   - Firefox throws an error "sec_error_cert_not_in_name_space" even
> when the domain is specified in subjectAltName and no nameConstraints
> violation exists. It's by the way the first time Internet Explorer
> acted correctly ;). See Test C2
>   - OpenSSL s_client throws "Verify return code: 47 (permitted subtree
> violation)" while there is no violation. See Test C2
>   - Chrome, Firefox (and for sure Internet Explorer) throwed an error
> while there is no nameConstraints violation. Only OpenSSL s_client
> acted correctly (but only because it doesn't check CN). See Test C4
-------------- next part --------------
Ok, after plenty of testing and some googling: the name constraints extension is ... improvable.

My Structure:
- Root CA
  - Intermediate CA 1
    - Intermediate CA 2
      - Intermediate CA 3
        - Signing CA

The Intermediate CA 3 writes name constraints into the Signing CA's certificate. The web server provides certificates for all Intermediate CAs and the Signing CA in the correct order.

I didn't had any nameConstraints configured in these tests
###################################
Test A1

leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=IP:10.11.12.13

- Google Chrome 42
  https://backup.an3k.lan	certification warning ("Server's certificate does not match the URL")
  https://10.11.12.13		green lock

- Mozilla Firefox 37
  https://backup.an3k.lan	certification warning ("ssl_error_bad_cert_domain")
  https://10.11.12.13		gray lock

- Internet Explorer 11
  https://backup.an3k.lan	black lock
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client 
  https://10.11.12.13		"Verify return code: 0 (ok)"
###################################
Test A2 (need to test)

leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=DNS:backup.an3k.lan

- Google Chrome 42
  https://backup.an3k.lan	green lock
  https://10.11.12.13		certification warning ("Server's certificate does not match the URL")

- Mozilla Firefox 37
  https://backup.an3k.lan	gray lock
  https://10.11.12.13		certification warning ("ssl_error_bad_cert_domain")

- Internet Explorer 11
  https://backup.an3k.lan	black lock
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client 
  https://10.11.12.13		"Verify return code: 0 (ok)"
###################################
Test A3

leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension

- Google Chrome 42
  https://backup.an3k.lan	green lock
  https://10.11.12.13		certification warning ("Server's certificate does not match the URL")

- Mozilla Firefox 37
  https://backup.an3k.lan	gray lock
  https://10.11.12.13		certification warning ("ssl_error_bad_cert_domain")

- Internet Explorer 11
  https://backup.an3k.lan	black lock
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client 
  https://10.11.12.13		"Verify return code: 0 (ok)"
###################################
Test A4

leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension

- Google Chrome 42
  https://backup.an3k.lan	certification error ("Server's certificate is invalid")
  https://10.11.12.13		green lock

- Mozilla Firefox 37
  https://backup.an3k.lan	certification warning ("ssl_error_bad_cert_domain")
  https://10.11.12.13		gray lock

- Internet Explorer 11
  https://backup.an3k.lan	certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		black lock

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client 
  https://10.11.12.13		"Verify return code: 0 (ok)"
-------------- next part --------------
Ok, after plenty of testing and some googling: the name constraints extension is ... improvable.

My Structure:
- Root CA
  - Intermediate CA 1
    - Intermediate CA 2
      - Intermediate CA 3
        - Signing CA

The Intermediate CA 3 writes name constraints into the Signing CA's certificate. The web server provides certificates for all Intermediate CAs and the Signing CA in the correct order.

I used this configuration:
permitted;DNS.0=.lan
permitted;DNS.1=.local
permitted;IP.0=10.0.0.0/255.0.0.0
permitted;IP.1=172.16.0.0/255.240.0.0
permitted;IP.2=192.168.0.0/255.255.0.0
###################################
Test B1

leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=IP:10.11.12.13

- Google Chrome 42
  https://backup.an3k.lan	certification warning ("Server's certificate does not match the URL")
  https://10.11.12.13		green lock

- Mozilla Firefox 37
  https://backup.an3k.lan	certification warning ("ssl_error_bad_cert_domain")
  https://10.11.12.13		gray lock

- Internet Explorer 11
  https://backup.an3k.lan	black lock
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 51 (unsupported name constraint type)"
###################################
Test B2

leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=DNS:backup.an3k.lan

- Google Chrome 42
  https://backup.an3k.lan	green lock
  https://10.11.12.13		certification warning ("Server's certificate does not match the URL")

- Mozilla Firefox 37
  https://backup.an3k.lan	gray lock
  https://10.11.12.13		certification warning ("ssl_error_bad_cert_domain")

- Internet Explorer 11
  https://backup.an3k.lan	black lock
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 47 (permitted subtree violation)"
###################################
Test B3

leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension

- Google Chrome 42
  https://backup.an3k.lan	green lock
  https://10.11.12.13		certification error ("Server's certificate is invalid")

- Mozilla Firefox 37
  https://backup.an3k.lan	gray lock
  https://10.11.12.13		certification warning ("ssl_error_bad_cert_domain")

- Internet Explorer 11
  https://backup.an3k.lan	black lock
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 0 (ok)"
###################################
Test B4

leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension

- Google Chrome 42
  https://backup.an3k.lan	certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate is invalid")

- Mozilla Firefox 37
  https://backup.an3k.lan	certification warning ("ssl_error_bad_cert_domain")
  https://10.11.12.13		gray lock

- Internet Explorer 11
  https://backup.an3k.lan	certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 0 (ok)"
###################################
Test B5

leaf certificate issued to >> E = root at an3k.de, CN = www.an3k.de, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=IP:10.11.12.13

- Google Chrome 42
  https://www.an3k.de		certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate is invalid")

- Mozilla Firefox 37
  https://www.an3k.de		certification warning ("ssl_error_bad_cert_domain")
  https://10.11.12.13		gray lock

- Internet Explorer 11
  https://www.an3k.de		certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 51 (unsupported name constraint type)"
###################################
Test B6

leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=DNS:www.an3k.de

- Google Chrome 42
  https://www.an3k.de		certification error ("Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")

- Mozilla Firefox 37
  https://www.an3k.de		certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://www.an3k.de		certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 47 (permitted subtree violation)"
###################################
Test B7

leaf certificate issued to >> E = root at an3k.de, CN = www.an3k.de, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension

- Google Chrome 42
  https://www.an3k.de		certification error ("Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")

- Mozilla Firefox 37
  https://www.an3k.de		certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://www.an3k.de		certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 0 (ok)"
###################################
Test B8

leaf certificate issued to >> E = root at an3k.de, CN = www.an3k.de, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=IP:8.8.8.8

- Google Chrome 42
  https://www.an3k.de		certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")

- Mozilla Firefox 37
  https://www.an3k.de		certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://www.an3k.de		certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 51 (unsupported name constraint type)"
###################################
Test B9

leaf certificate issued to >> E = root at an3k.de, CN = 8.8.8.8, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=DNS:www.an3k.de

- Google Chrome 42
  https://www.an3k.de		certification error ("Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")

- Mozilla Firefox 37
  https://www.an3k.de		certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://www.an3k.de		certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 47 (permitted subtree violation)"
###################################
Test B10

leaf certificate issued to >> E = root at an3k.de, CN = 8.8.8.8, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension

- Google Chrome 42
  https://backup.an3k.lan	certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")

- Mozilla Firefox 37
  https://backup.an3k.lan	certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://backup.an3k.lan	certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 0 (ok)"
-------------- next part --------------
Ok, after plenty of testing and some googling: the name constraints extension is ... improvable.

My Structure:
- Root CA
  - Intermediate CA 1
    - Intermediate CA 2
      - Intermediate CA 3
        - Signing CA

The Intermediate CA 3 writes name constraints into the Signing CA's certificate. The web server provides certificates for all Intermediate CAs and the Signing CA in the correct order.

I used this configuration:
permitted;DNS.0=.lan
permitted;DNS.1=.local
permitted;IP.0=10.0.0.0/255.0.0.0
permitted;IP.1=172.16.0.0/255.240.0.0
permitted;IP.2=192.168.0.0/255.255.0.0
permitted;dirName=dir_sect

[dir_sect]
CN=10.11.12.13
###################################
Test C1

leaf certificate issued to >> CN = backup.an3k.lan <<
subjectAltName=IP:10.11.12.13

- Google Chrome 42
  https://backup.an3k.lan	certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate is invalid")

- Mozilla Firefox 37
  https://backup.an3k.lan	certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://backup.an3k.lan	certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 47 (permitted subtree violation)"
###################################
Test C2

leaf certificate issued to >> CN = 10.11.12.13 <<
subjectAltName=DNS:backup.an3k.lan

- Google Chrome 42
  https://backup.an3k.lan	green lock
  https://10.11.12.13		certification warning ("Server's certificate does not match the URL")

- Mozilla Firefox 37
  https://backup.an3k.lan	certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://backup.an3k.lan	black lock
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 47 (permitted subtree violation)"
###################################
Test C3

leaf certificate issued to >> CN = backup.an3k.lan <<
no subjectAltName extension

- Google Chrome 42
  https://backup.an3k.lan	certification error ("Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")

- Mozilla Firefox 37
  https://backup.an3k.lan	certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://backup.an3k.lan	certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 47 (permitted subtree violation)"
###################################
Test C4

leaf certificate issued to >> CN = 10.11.12.13 <<
no subjectAltName extension

- Google Chrome 42
  https://backup.an3k.lan	certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
  https://10.11.12.13		certification error ("Server's certificate is invalid")

- Mozilla Firefox 37
  https://backup.an3k.lan	certification error ("sec_error_cert_not_in_name_space")
  https://10.11.12.13		certification error ("sec_error_cert_not_in_name_space")

- Internet Explorer 11
  https://backup.an3k.lan	certification warning ("This website's address doesn't match the address in the security certificate")
  https://10.11.12.13		certification warning ("This website's address doesn't match the address in the security certificate")

- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
  https://10.11.12.13		"Verify return code: 0 (ok)"


More information about the openssl-users mailing list