[jira] [Comment Edited] (MESOS-5724) SSL certificate validation should allow IP only verification.

Mon, 27 Jun 2016 12:58:14 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-5724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15351691#comment-15351691
 ] 

Till Toenshoff edited comment on MESOS-5724 at 6/27/16 7:56 PM:
----------------------------------------------------------------

See also

- [How are SSL certificate server names resolved/Can I add alternative names 
using 
keytool?|http://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using/8444863#8444863]
- [URIs in the subjAltName X.509 
extension|http://security.stackexchange.com/questions/14019/uris-in-the-subjaltname-x-509-extension/14021#14021]
- [OpenSSL: 
x509v3_config|https://www.openssl.org/docs/manmaster/apps/x509v3_config.html]




was (Author: tillt):
See also

- [How are SSL certificate server names resolved/Can I add alternative names 
using 
keytool?|http://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using/8444863#8444863]
- [URIs in the subjAltName X.509 
extension|http://security.stackexchange.com/questions/14019/uris-in-the-subjaltname-x-509-extension/14021#14021]




> SSL certificate validation should allow IP only verification.
> -------------------------------------------------------------
>
>                 Key: MESOS-5724
>                 URL: https://issues.apache.org/jira/browse/MESOS-5724
>             Project: Mesos
>          Issue Type: Bug
>          Components: libprocess
>    Affects Versions: 1.0.0
>            Reporter: Till Toenshoff
>            Priority: Blocker
>              Labels: libprocess, mesosphere, security, ssl
>
> Our SSL certificate validation currently assumes that the host (on connect 
> and on accept) does have a valid hostname. This however is not true for all  
> environments.
> {{process::network::openssl::verify}} currently only allows the validation of 
> a certificate against a hostname. 
> See 
> https://github.com/apache/mesos/blob/08866edd8a71d12f87f4f4dbefa292729efbf6ae/3rdparty/libprocess/src/openssl.cpp#L546
> RFC2818 however says that it should be perfectly valid to validate a 
> certificate  based on the IP address.
> See https://tools.ietf.org/html/rfc2818
> {noformat}
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present
> in the certificate and must exactly match the IP in the URI.
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to