[openssl-dev] [openssl.org #3502] nameConstraints bypass bug
Brian Smith
brian at briansmith.org
Tue May 31 02:54:01 UTC 2016
Salz, Rich via RT <rt at openssl.org> wrote:
> > Note that other implementations treated this as a bug and fixed it a
> long time
> > ago.
>
> What other implementations, and what did they do? Always treating a CN as
> a DNS name? We can't.
>
As one example, mozilla::pkix treats the CN as a dNSName/iPAddress iif
there is no subjectAltName extension and iif the CN is a valid
dNSNa/iPAddress syntactically.
> Applications can do that now by setting the right flag, as Viktor pointed
> out. I think it's too late to make the default change for 1.1
>
The important thing is: What happens when applications use the default
settings? If the default settings are "don't consider the subject CN for
name constraint processing, but do consider it for name validation" then
that's obviously wrong and dangerous.
Besides that, there needs to be a way to make name constraint processing
consistent with name validation. That means that if name validation is
configured (by default or with a switch) to look at subject CNs then the
name constraints need to be configurable to do the same. Name validation
and name constraint validation go hand-in-hand.
> > How about this for a heuristic: If nameConstraints are in effect, then
> the
> > validator MUST NOT accept the CN as a DNS name. This seems like the
> least
> > the validator could do, in light of the aforementioned deprecation.
>
> Probably.
>
If the validator has that much information then it should be simple for it
to keep the state in sync. But, often (usually?) certificate chain
validation and certificate name validation are done in separate steps by
applications, and it's difficult or impossible to keep things in sync in
that case.
> > -- The problem is not solved until bad guys are
> > /required/ to use SAN;
>
> Applications can make that happen now.
Again, what matters is less what applications *can* do and more what
applications *actually* do. I suspect that most applications are having the
wrong, dangerous, thing happen. In fact, that is almost definitely the
case, considering that many applications are doing their own name
validation (and thus almost definitely looking at the subject CN as that is
historically how it is done), as OpenSSL didn't provide a name validation
API until recently.
So, I agree with the others that OpenSSL is broken in this respect.
Cheers,
Brian
--
https://briansmith.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160530/0e516707/attachment.html>
More information about the openssl-dev
mailing list