[openssl-users] x509_config nameConstraints
Ben Humpert
ben at an3k.de
Tue May 12 14:56:38 UTC 2015
I love that when it happens :)
2015-05-12 16:56 GMT+02:00 Ben Humpert <ben at an3k.de>:
> Ok, after plenty of testing and some googling: the name constraints
> extension is ... improvable. I ran plenty of tests but it looks like
> that the extension is not very well implemented in todays browsers.
>
> I have attached three txt files (DOS format) with the settings and
> results of each test run. Between each test the browsers cache, etc.
> was completely cleared and the browser got restarted. I validated the
> used leaf certificates using serial number / hash and the signing CA
> hash between each test run.
>
> I used "certificate warning" if an error is shown but the user is
> allowed to continue browsing and "certificate error" if the user is
> NOT allowed to continue.
>
> Results:
> - Internet Explorer 11 does not understand the name IP in the
> subjectAltName extension. However it understands the name DNS.
> - Internet Explorer 11 just knows one certificate warning "This
> website's address doesn't match the address in the security
> certificate" regardless of why the certificate is invalid and no error
> at all.
>
> - (Test Run A.txt) nameConstraints extension NOT present
> - everything is fine
>
> - (Test Run B.txt) nameConstraints extension present with
> permitted;DNS and permitted;IP
> - OpenSSL s_client throws "Verify return code: 51 (unsupported name
> constraint type)" whenever the name IP is present in the
> subjectAltName extension. It does not do so when the name DNS is used
> or when no subjectAltName extension is present at all. See Test B1,
> B5, B8 and compare with Test B2, B3, B7
> - OpenSSL s_client throws "Verify return code: 47 (permitted subtree
> violation)" while there is no violation. See Test B2
> - OpenSSL s_client does not check for nameConstraints violation in
> CN at all. See Test B7, B10
> - Firefox does NOT check for nameConstraints violation in CN if
> subjectAltName is present. See Test B5
> - Firefox just throws a warning "ssl_error_bad_cert_domain" instead
> of an error when the certificate is used on a domain / ip address
> which is not specified in the certificate. See Test B3, B4
> - Chrome throws an error "Server's certificate is invalid" when
> there is no subjectAltName present but the ip address matches the
> certificate CN. See Test B4
>
> - (Test Run C.txt) nameConstraints extension present with
> permitted;DNS and permitted;IP and permitted;dirName
> - Firefox throws an error "sec_error_cert_not_in_name_space" even
> when the domain is specified in subjectAltName and no nameConstraints
> violation exists. It's by the way the first time Internet Explorer
> acted correctly ;). See Test C2
> - OpenSSL s_client throws "Verify return code: 47 (permitted subtree
> violation)" while there is no violation. See Test C2
> - Chrome, Firefox (and for sure Internet Explorer) throwed an error
> while there is no nameConstraints violation. Only OpenSSL s_client
> acted correctly (but only because it doesn't check CN). See Test C4
-------------- next part --------------
Ok, after plenty of testing and some googling: the name constraints extension is ... improvable.
My Structure:
- Root CA
- Intermediate CA 1
- Intermediate CA 2
- Intermediate CA 3
- Signing CA
The Intermediate CA 3 writes name constraints into the Signing CA's certificate. The web server provides certificates for all Intermediate CAs and the Signing CA in the correct order.
I didn't had any nameConstraints configured in these tests
###################################
Test A1
leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=IP:10.11.12.13
- Google Chrome 42
https://backup.an3k.lan certification warning ("Server's certificate does not match the URL")
https://10.11.12.13 green lock
- Mozilla Firefox 37
https://backup.an3k.lan certification warning ("ssl_error_bad_cert_domain")
https://10.11.12.13 gray lock
- Internet Explorer 11
https://backup.an3k.lan black lock
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
###################################
Test A2 (need to test)
leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=DNS:backup.an3k.lan
- Google Chrome 42
https://backup.an3k.lan green lock
https://10.11.12.13 certification warning ("Server's certificate does not match the URL")
- Mozilla Firefox 37
https://backup.an3k.lan gray lock
https://10.11.12.13 certification warning ("ssl_error_bad_cert_domain")
- Internet Explorer 11
https://backup.an3k.lan black lock
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
###################################
Test A3
leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension
- Google Chrome 42
https://backup.an3k.lan green lock
https://10.11.12.13 certification warning ("Server's certificate does not match the URL")
- Mozilla Firefox 37
https://backup.an3k.lan gray lock
https://10.11.12.13 certification warning ("ssl_error_bad_cert_domain")
- Internet Explorer 11
https://backup.an3k.lan black lock
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
###################################
Test A4
leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension
- Google Chrome 42
https://backup.an3k.lan certification error ("Server's certificate is invalid")
https://10.11.12.13 green lock
- Mozilla Firefox 37
https://backup.an3k.lan certification warning ("ssl_error_bad_cert_domain")
https://10.11.12.13 gray lock
- Internet Explorer 11
https://backup.an3k.lan certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 black lock
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
-------------- next part --------------
Ok, after plenty of testing and some googling: the name constraints extension is ... improvable.
My Structure:
- Root CA
- Intermediate CA 1
- Intermediate CA 2
- Intermediate CA 3
- Signing CA
The Intermediate CA 3 writes name constraints into the Signing CA's certificate. The web server provides certificates for all Intermediate CAs and the Signing CA in the correct order.
I used this configuration:
permitted;DNS.0=.lan
permitted;DNS.1=.local
permitted;IP.0=10.0.0.0/255.0.0.0
permitted;IP.1=172.16.0.0/255.240.0.0
permitted;IP.2=192.168.0.0/255.255.0.0
###################################
Test B1
leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=IP:10.11.12.13
- Google Chrome 42
https://backup.an3k.lan certification warning ("Server's certificate does not match the URL")
https://10.11.12.13 green lock
- Mozilla Firefox 37
https://backup.an3k.lan certification warning ("ssl_error_bad_cert_domain")
https://10.11.12.13 gray lock
- Internet Explorer 11
https://backup.an3k.lan black lock
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 51 (unsupported name constraint type)"
###################################
Test B2
leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=DNS:backup.an3k.lan
- Google Chrome 42
https://backup.an3k.lan green lock
https://10.11.12.13 certification warning ("Server's certificate does not match the URL")
- Mozilla Firefox 37
https://backup.an3k.lan gray lock
https://10.11.12.13 certification warning ("ssl_error_bad_cert_domain")
- Internet Explorer 11
https://backup.an3k.lan black lock
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 47 (permitted subtree violation)"
###################################
Test B3
leaf certificate issued to >> E = root at an3k.de, CN = backup.an3k.lan, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension
- Google Chrome 42
https://backup.an3k.lan green lock
https://10.11.12.13 certification error ("Server's certificate is invalid")
- Mozilla Firefox 37
https://backup.an3k.lan gray lock
https://10.11.12.13 certification warning ("ssl_error_bad_cert_domain")
- Internet Explorer 11
https://backup.an3k.lan black lock
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
###################################
Test B4
leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension
- Google Chrome 42
https://backup.an3k.lan certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate is invalid")
- Mozilla Firefox 37
https://backup.an3k.lan certification warning ("ssl_error_bad_cert_domain")
https://10.11.12.13 gray lock
- Internet Explorer 11
https://backup.an3k.lan certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
###################################
Test B5
leaf certificate issued to >> E = root at an3k.de, CN = www.an3k.de, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=IP:10.11.12.13
- Google Chrome 42
https://www.an3k.de certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate is invalid")
- Mozilla Firefox 37
https://www.an3k.de certification warning ("ssl_error_bad_cert_domain")
https://10.11.12.13 gray lock
- Internet Explorer 11
https://www.an3k.de certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 51 (unsupported name constraint type)"
###################################
Test B6
leaf certificate issued to >> E = root at an3k.de, CN = 10.11.12.13, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=DNS:www.an3k.de
- Google Chrome 42
https://www.an3k.de certification error ("Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
- Mozilla Firefox 37
https://www.an3k.de certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://www.an3k.de certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 47 (permitted subtree violation)"
###################################
Test B7
leaf certificate issued to >> E = root at an3k.de, CN = www.an3k.de, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension
- Google Chrome 42
https://www.an3k.de certification error ("Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
- Mozilla Firefox 37
https://www.an3k.de certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://www.an3k.de certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
###################################
Test B8
leaf certificate issued to >> E = root at an3k.de, CN = www.an3k.de, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=IP:8.8.8.8
- Google Chrome 42
https://www.an3k.de certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
- Mozilla Firefox 37
https://www.an3k.de certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://www.an3k.de certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 51 (unsupported name constraint type)"
###################################
Test B9
leaf certificate issued to >> E = root at an3k.de, CN = 8.8.8.8, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
subjectAltName=DNS:www.an3k.de
- Google Chrome 42
https://www.an3k.de certification error ("Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
- Mozilla Firefox 37
https://www.an3k.de certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://www.an3k.de certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 47 (permitted subtree violation)"
###################################
Test B10
leaf certificate issued to >> E = root at an3k.de, CN = 8.8.8.8, O = an3k Industries Ltd., L = Munich, S = DE-BY, C = DE <<
no subjectAltName extension
- Google Chrome 42
https://backup.an3k.lan certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
- Mozilla Firefox 37
https://backup.an3k.lan certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://backup.an3k.lan certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
-------------- next part --------------
Ok, after plenty of testing and some googling: the name constraints extension is ... improvable.
My Structure:
- Root CA
- Intermediate CA 1
- Intermediate CA 2
- Intermediate CA 3
- Signing CA
The Intermediate CA 3 writes name constraints into the Signing CA's certificate. The web server provides certificates for all Intermediate CAs and the Signing CA in the correct order.
I used this configuration:
permitted;DNS.0=.lan
permitted;DNS.1=.local
permitted;IP.0=10.0.0.0/255.0.0.0
permitted;IP.1=172.16.0.0/255.240.0.0
permitted;IP.2=192.168.0.0/255.255.0.0
permitted;dirName=dir_sect
[dir_sect]
CN=10.11.12.13
###################################
Test C1
leaf certificate issued to >> CN = backup.an3k.lan <<
subjectAltName=IP:10.11.12.13
- Google Chrome 42
https://backup.an3k.lan certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate is invalid")
- Mozilla Firefox 37
https://backup.an3k.lan certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://backup.an3k.lan certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 47 (permitted subtree violation)"
###################################
Test C2
leaf certificate issued to >> CN = 10.11.12.13 <<
subjectAltName=DNS:backup.an3k.lan
- Google Chrome 42
https://backup.an3k.lan green lock
https://10.11.12.13 certification warning ("Server's certificate does not match the URL")
- Mozilla Firefox 37
https://backup.an3k.lan certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://backup.an3k.lan black lock
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 47 (permitted subtree violation)"
###################################
Test C3
leaf certificate issued to >> CN = backup.an3k.lan <<
no subjectAltName extension
- Google Chrome 42
https://backup.an3k.lan certification error ("Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
- Mozilla Firefox 37
https://backup.an3k.lan certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://backup.an3k.lan certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 47 (permitted subtree violation)"
###################################
Test C4
leaf certificate issued to >> CN = 10.11.12.13 <<
no subjectAltName extension
- Google Chrome 42
https://backup.an3k.lan certification error ("Server's certificate does not match the URL" and "Server's certificate is invalid")
https://10.11.12.13 certification error ("Server's certificate is invalid")
- Mozilla Firefox 37
https://backup.an3k.lan certification error ("sec_error_cert_not_in_name_space")
https://10.11.12.13 certification error ("sec_error_cert_not_in_name_space")
- Internet Explorer 11
https://backup.an3k.lan certification warning ("This website's address doesn't match the address in the security certificate")
https://10.11.12.13 certification warning ("This website's address doesn't match the address in the security certificate")
- OpenSSL 1.0.1f (Ubuntu Server 14.04.2) s_client
https://10.11.12.13 "Verify return code: 0 (ok)"
More information about the openssl-users
mailing list