[openssl-dev] [openssl.org #3562] leading dots in nameConstraints ... bug report and patch
John Denker via RT
rt at openssl.org
Thu Jan 1 17:03:04 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/31/2014 10:31 AM, Rich Salz via RT wrote:
> This patch from Steve Henson seems better
I am happy with the proposed patch. I have looked at
the code, and also tested it operationally.
The semantics is reasonable.
++ This is what I was arguing for initially.
++ It is AFAICT consistent with Mozilla behavior.
++ It is more strict than pk11-kit (lynx) behavior;
see below for details.
> and a good candidate for 1.0.2 and master...
OK, good, the sooner the better.
This is a "security issue" in the sense that is a Type-II
error (disallowing good guys). It affects thousands of
sites and who-knows-how-many users.
It is not a Type-I error (letting bad guys in) and it
affects "only" thousands of sites, not millions, so it
is not in the same category as heartbleed ... but still
it is well worth fixing, the sooner the better.
*** It would make sense to fix the nameConstraints bypass bug
*** [openssl.org #3502] at the same time.
*** Otherwise the whole nameConstraints concept is pretty much
*** pointless. http://rt.openssl.org/Ticket/Display.html?id=3502
- ----------------------
Test results:
The Henson patch does what it is supposed to:
:| $newopenssl s_client -verify 10 -CAfile /usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt -connect auth.edu.gr:443 |& egrep 'Verify'
Verify return code: 0 (ok)
For more detailed checks, we can use the following signing CA:
wget http://www.av8n.com/pdq-root-ca-cert.pem
echo 5d9f030c791bcace3580f38286a49c4f /tmp/pdq-root-ca-cert.pem | md5sum -c -
Here is another example of the patch allowing stuff, as it should:
:| $newopenssl s_client -verify 10 -CAfile pdq-root-ca-cert.pem -connect www.pdq.av8n.com:1446 |& egrep 'Verify'
Verify return code: 0 (ok)
Here it is disallowing some things, as it should:
A rule with a leading dot does /not/ match a domain name without
a corresponding dot:
:| $newopenssl s_client -verify 10 -CAfile pdq-root-ca-cert.pem -connect pdq.av8n.com:1445 |& egrep 'Verify'
Verify return code: 47 (permitted subtree violation)
In contrast, note that pk11-kit is more tolerant, and totally ignores
the leading dot:
SSL_CERT_FILE=pdq-root-ca-cert.pem lynx -source https://pdq.av8n.com:1445/cgi-bin/ipaddr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVKV8H/O9SFghczXtAQIQIBAAiBsPoCiRqzKqZpE4hNmefyWaFlLagVQ0
Abhw5tBFCULwjGE5f4VlAil/1dNVro3Qlp7yvZ8qIXKkvJ3hk9gO6rUId6hP74Qy
xtAiBvs4az+IpxImQ91RRnw+ZYtf9IghKNSQyPkBDVpNMtlr7zr/OTe6ksgH0/h6
HhfKs7YuZ7RkCHmPjL7qDzFSfMxoFQSIXDguBFTrOrLmeOv7XG3O3ZvKnpcH/79M
DcxhUATvzzXyoYN9mtkbgw4W13Gcl0ds8S/zeFuencH2UvBVYPBZl/UTDf2stwya
wvizplcopgQikTd/p1D+5GnfaBUzRS2YopY77GQIokca0pLq/uO5XRBx/l8jQidX
i0KGvVWRsP1Oud0yJ/Ba8pMwunJwkzWpcvoV1kk1copm/KuZwZGb4k2PpQTLGBsG
czbRvHm5FbCRE7WDxGpO3GjtqcWZpY5kMlxUe8/yhnTvYQrcXgf7pUChBouS6Un9
GHq1uLGymIP6OtqzIpd0NSR2Fo1JU28mCGJs6gN+r7QtL5FoKpRo+16UrfHvBSt5
D1KuGjOCEb7JSxjsGIVaGK/lFQjMBksqG8MXj4xUR3UB7udj8tjBfxF1X3/rFk9M
fvkhMqw2zh8CvzzvIe3URy5t4rVooZ0Alwk7Q9imN4gI7tt8HrSadB5pwsTjfe0E
p3Sg79BLMM4=
=fbFv
-----END PGP SIGNATURE-----
More information about the openssl-dev
mailing list