Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-511

Add legacy SSL certificate Hostname verification with CN even when SAN are set

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 2.1.1
    • TLS
    • None

    Description

      After invertigating joseph.witthuhn comment, and verification on SSL with aurora :

      Issue is that when certificate has alternate names, only alt-name verification is executed as RFC 6125 indicate, hostname verification should be done against the certificate’s subjectAlternativeName’s dNSName field.
      RFC 2818 discouraged the CN verification > 10 years ago, as it was only intended for legacy. The Baseline Requirements require a subjectAltName, and require that the only host-ish names in a CN must be a name also in the SAN.

      That is not compatible with connecting directly aurora host.

      Correction is to permit legacy CN verification when SAN doesn't match hostname.

      Attachments

        Activity

          Transition Time In Source Status Execution Times
          Diego Dupin made transition -
          Open Confirmed
          		23h 9m 1
          Diego Dupin made transition -
          Confirmed Closed
          		5d 2h 37m 1

          People

            diego dupin Diego Dupin
            diego dupin Diego Dupin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.