[openssl-dev] [openssl.org #3502] nameConstraints bypass bug
Viktor Dukhovni
openssl-users at dukhovni.org
Tue May 31 03:58:23 UTC 2016
On Tue, May 31, 2016 at 02:54:13AM +0000, Brian Smith via RT wrote:
> > Applications can do that now by setting the right flag, as Viktor pointed
> > out. I think it's too late to make the default change for 1.1
>
> The important thing is: What happens when applications use the default
> settings? If the default settings are "don't consider the subject CN for
> name constraint processing, but do consider it for name validation" then
> that's obviously wrong and dangerous.
As of OpenSSL 1.0.2, we provide built-in name check support. When
the built-in routines are enabled, we know whether the application
has asked us to check for DNS names (and which ones).
The built-in checks do accept CN-ID as a fallback in the absence
of DNS-IDs. The name constraint code could make use of this to
apply name constraints to the CN-ID when we'll also be doing the
hostname checks on the CN-ID.
Now, not all (likely only a minority of) applications delegate name
checks to OpenSSL. It is more difficult to protect applications
that do their own name checks. If the sole name in the subject DN
is a valid DNS hostname, we could apply name constraints. If it
is instead "Joe User", that won't look like a DNS name, and we
could ignore it. That would be a bit of a hack, but it is not
clear that we can do any better when we have no idea what name
checks if any the application intends to perform.
Name constraints in the X.509v3 PKI have not worked well, and are
rarely used. The attack requires a issuing CA to be willing to
issue certificates beyond its constraints, that would be quite
noticeable and rather unwise. So I think this is not a major
problem. We should probably make a reasonable effort to address
this, but the urgency is I think low.
--
Viktor.
More information about the openssl-dev
mailing list