[openssl-dev] [openssl.org #3502] nameConstraints bypass bug

Viktor Dukhovni openssl-users at dukhovni.org
Tue May 31 13:40:05 UTC 2016 

> On May 31, 2016, at 2:43 AM, Brian Smith <brian at briansmith.org> wrote:
> 
> Not too long ago, there were changes to the CABForum rules about certificates to make it easier for any website to get a CA certificates constrained to its domain name. There were some problems with the loosening of the rules, and Apple has been slow to implement name constraints, so not many websites are taking advantage of them. But, soon, I am hopeful, and I expect, that it will soon be as easy to get name-constrained CA certificate as it is to get a wildcard certificates now. In fact, it is really important for the security of many (smaller and medium-sized) websites that this become possible, because this would make HPKP work much better and reduce risks relative to wildcard certificates.
> 
> In particular, we should be designing things based on the assumption that in the next few years, the owner of briansmith.org can get a CA certificate with name constraint of dNSName=briansmith.org. Then the owner of briansmith.org will be able to put Subject={CN=google.com} in his certificates if he feels like it. And, we shouldn't even expect such certificates to be revoked because they will be harmless to anybody that does validation correctly (i.e. by either ignoring the subject CN or by applying name constraints to the subject CN).

Well, if this becomes reality, it puts the final nail in the coffin of OpenSSL
versions prior to 1.0.2.  These don't have built-in name checks, and 0.9.8 and
1.0.0 are no longer supported, but are still used on some legacy systems.

For 1.0.2 and 1.1.0 it is possible to "align" the behaviour of nameConstraints
with the built-in name checks for applications that use the built-in name checks.

The ad-hoc --- apply nameConstraints if the CN is a valid DNS name --- approach
could perhaps be of some use with 1.0.1.  I might note that RFC 6125 says that
CN-ID is only applicable when the subject DN has exactly one CN component, but
various applications have historically chosen either the first, last or any CN
component in an ad-hoc manner.  Sot is also not clear what OpenSSL should do
when there are multiple CNs.

-- 
	Viktor.

More information about the openssl-dev mailing list