[CONC-413] C/C may not compare IP address to Subject Alternative Name fields for server certificate verification Created: 2019-05-22 Updated: 2022-07-01 |
|
| Status: | Open |
| Project: | MariaDB Connector/C |
| Component/s: | None |
| Affects Version/s: | 3.0.8, 3.1.0 |
| Fix Version/s: | 3.3 |
| Type: | Bug | Priority: | Major |
| Reporter: | Geoff Montee (Inactive) | Assignee: | Georg Richter |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||||||||||
| Description |
|
Support for server certificate verification against subjectAltName (SAN) fields was added in the following Jira issues: This seems to be supported with OpenSSL, Schannel, and GnuTLS. However, I noticed that C/C does not necessarily check the server's IP address against the subjectAltName (SAN) fields in the certificate. It only checks mysql->host, which can be a host name or an IP address. If the user specifies the server's host as a host name, then I don't believe that C/C will verify the certificate using the server's IP address. With OpenSSL, it just checks mysql->host: And with Schannel, it also just checks mysql->host: And with GnuTLS, it also just checks mysql->host: I see that the IP address is resolved from the host name here: Can this IP address be saved somewhere, so that it can be used for the server certificate verification step? |