Opened 2 years ago

Last modified 5 months ago

#27984 needs_revision defect

bridgedb verifyHostname doesn't check subjectAltName extension

Reported by: kaie Owned by: agix
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Normal Keywords: ex-sponsor-19, ex-sponsor19
Cc: Actual Points:
Parent ID: Points: 3
Reviewer: Sponsor:

Description

Currently, bridgedb/crypto.py function verifyHostname uses the certificate's commonName exclusively to perform a hostname match.

RFC 5280 demands that the presence of the subjectAltName (SAN) extension is checked, and if present, must be used to perform the hostname check.

verifyHostname should be changed to use subjectAltName. Only fall back to check common name if SAN is missing.

If an existing, more complete implementation of hostname verification can be found, it might be preferable to use it.

Child Tickets

Change History (10)

comment:1 Changed 2 years ago by kaie

Python 3.7 will support hostname verification using its own openssl wrapper, see https://bugs.python.org/issue31399

However, it might be good to add support to pyopenssl, to allow code on older branches to benefit from it, too. https://github.com/pyca/pyopenssl/issues/795 is an attempt to add such support.

comment:2 Changed 2 years ago by kaie

I've been told about https://pypi.org/project/service_identity/ which is another alternative to perform complete hostname verification, and is designed to be used together with pyOpenSSL.

comment:3 Changed 21 months ago by gaba

Owner: sysrqb deleted
Points: 3
Sponsor: Sponsor19
Status: newassigned

comment:4 Changed 17 months ago by gaba

Keywords: ex-sponsor-19 added

Adding the keyword to mark everything that didn't fit into the time for sponsor 19.

comment:5 Changed 17 months ago by gaba

Keywords: ex-sponsor19 added
Sponsor: Sponsor19

Remove sponsor 19 and add a keyword ex-sponsor19 to mark all the tickets that could have been in the scope of the sponsor.

comment:6 Changed 8 months ago by teor

Status: assignednew

Change tickets that are assigned to nobody to "new".

comment:7 Changed 6 months ago by agix

Owner: set to agix
Status: newassigned

comment:8 Changed 5 months ago by agix

I basically worked on two different solutions.
Here the first one.
Here the second one, that uses the service_identity package as previously mentioned by kaie.

I tend to prefer the latter, since BridgeDB already relies on the package.

comment:9 Changed 5 months ago by agix

Status: assignedneeds_review

comment:10 Changed 5 months ago by phw

Status: needs_reviewneeds_revision

I like your second approach, great work! I left a few minor comments in the commit. Do you mind addressing them?

Note: See TracTickets for help on using tickets.