[CONJ-511] Add legacy SSL certificate Hostname verification with CN even when SAN are set - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.1.1
Component/s: TLS
Labels:
None

Description

After invertigating joseph.witthuhn comment, and verification on SSL with aurora :

Issue is that when certificate has alternate names, only alt-name verification is executed as RFC 6125 indicate, hostname verification should be done against the certificate’s subjectAlternativeName’s dNSName field.
RFC 2818 discouraged the CN verification > 10 years ago, as it was only intended for legacy. The Baseline Requirements require a subjectAltName, and require that the only host-ish names in a CN must be a name also in the SAN.

That is not compatible with connecting directly aurora host.

Correction is to permit legacy CN verification when SAN doesn't match hostname.

Attachments

Activity

People

Assignee:: Diego Dupin

Reporter:: Diego Dupin

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2017-08-22 09:56

Updated:: 2017-08-29 20:56

Resolved:: 2017-08-28 11:42

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.