Opened 8 months ago

Last modified 4 months ago

#27984 assigned defect

bridgedb verifyHostname doesn't check subjectAltName extension

Reported by: kaie Owned by:
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points: 3
Reviewer: Sponsor: Sponsor19

Description

Currently, bridgedb/crypto.py function verifyHostname uses the certificate's commonName exclusively to perform a hostname match.

RFC 5280 demands that the presence of the subjectAltName (SAN) extension is checked, and if present, must be used to perform the hostname check.

verifyHostname should be changed to use subjectAltName. Only fall back to check common name if SAN is missing.

If an existing, more complete implementation of hostname verification can be found, it might be preferable to use it.

Child Tickets

Change History (3)

comment:1 Changed 8 months ago by kaie

Python 3.7 will support hostname verification using its own openssl wrapper, see https://bugs.python.org/issue31399

However, it might be good to add support to pyopenssl, to allow code on older branches to benefit from it, too. https://github.com/pyca/pyopenssl/issues/795 is an attempt to add such support.

comment:2 Changed 8 months ago by kaie

I've been told about https://pypi.org/project/service_identity/ which is another alternative to perform complete hostname verification, and is designed to be used together with pyOpenSSL.

comment:3 Changed 4 months ago by gaba

Owner: sysrqb deleted
Points: 3
Sponsor: Sponsor19
Status: newassigned
Note: See TracTickets for help on using tickets.