Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-511

Add legacy SSL certificate Hostname verification with CN even when SAN are set

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 2.1.1
    • TLS
    • None

    Description

      After invertigating joseph.witthuhn comment, and verification on SSL with aurora :

      Issue is that when certificate has alternate names, only alt-name verification is executed as RFC 6125 indicate, hostname verification should be done against the certificate’s subjectAlternativeName’s dNSName field.
      RFC 2818 discouraged the CN verification > 10 years ago, as it was only intended for legacy. The Baseline Requirements require a subjectAltName, and require that the only host-ish names in a CN must be a name also in the SAN.

      That is not compatible with connecting directly aurora host.

      Correction is to permit legacy CN verification when SAN doesn't match hostname.

      Attachments

        Activity

          People

            diego dupin Diego Dupin
            diego dupin Diego Dupin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.