Opened 10 months ago

Last modified 2 months ago

#27984 assigned defect

bridgedb verifyHostname doesn't check subjectAltName extension

Reported by: kaie Owned by:
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Normal Keywords: ex-sponsor-19, ex-sponsor19
Cc: Actual Points:
Parent ID: Points: 3
Reviewer: Sponsor:

Description

Currently, bridgedb/crypto.py function verifyHostname uses the certificate's commonName exclusively to perform a hostname match.

RFC 5280 demands that the presence of the subjectAltName (SAN) extension is checked, and if present, must be used to perform the hostname check.

verifyHostname should be changed to use subjectAltName. Only fall back to check common name if SAN is missing.

If an existing, more complete implementation of hostname verification can be found, it might be preferable to use it.

Child Tickets

Change History (5)

comment:1 Changed 10 months ago by kaie

Python 3.7 will support hostname verification using its own openssl wrapper, see https://bugs.python.org/issue31399

However, it might be good to add support to pyopenssl, to allow code on older branches to benefit from it, too. https://github.com/pyca/pyopenssl/issues/795 is an attempt to add such support.

comment:2 Changed 10 months ago by kaie

I've been told about https://pypi.org/project/service_identity/ which is another alternative to perform complete hostname verification, and is designed to be used together with pyOpenSSL.

comment:3 Changed 7 months ago by gaba

Owner: sysrqb deleted
Points: 3
Sponsor: Sponsor19
Status: newassigned

comment:4 Changed 3 months ago by gaba

Keywords: ex-sponsor-19 added

Adding the keyword to mark everything that didn't fit into the time for sponsor 19.

comment:5 Changed 2 months ago by gaba

Keywords: ex-sponsor19 added
Sponsor: Sponsor19

Remove sponsor 19 and add a keyword ex-sponsor19 to mark all the tickets that could have been in the scope of the sponsor.

Note: See TracTickets for help on using tickets.