[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #27984 [Obfuscation/BridgeDB]: bridgedb verifyHostname doesn't check subjectAltName extension

To: undisclosed-recipients: ;
Subject: [tor-bugs] #27984 [Obfuscation/BridgeDB]: bridgedb verifyHostname doesn't check subjectAltName extension
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 09 Oct 2018 09:58:45 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 09 Oct 2018 07:15:36 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#27984: bridgedb verifyHostname doesn't check subjectAltName extension
--------------------+--------------------------------------
 Reporter:  kaie    |          Owner:  sysrqb
     Type:  defect  |         Status:  new
 Priority:  Medium  |      Component:  Obfuscation/BridgeDB
  Version:          |       Severity:  Normal
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
 Reviewer:          |        Sponsor:
--------------------+--------------------------------------
 Currently, bridgedb/crypto.py function verifyHostname uses the
 certificate's commonName exclusively to perform a hostname match.

 RFC 5280 demands that the presence of the subjectAltName (SAN) extension
 is checked, and if present, must be used to perform the hostname check.

 verifyHostname should be changed to use subjectAltName. Only fall back to
 check common name if SAN is missing.

 If an existing, more complete implementation of hostname verification can
 be found, it might be preferable to use it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27984>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #27984 [Obfuscation/BridgeDB]: bridgedb verifyHostname doesn't check subjectAltName extension
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #27984 [Obfuscation/BridgeDB]: bridgedb verifyHostname doesn't check subjectAltName extension
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #24755 [Applications/Tor Browser]: Shell scripts refactoring and bash privacy leak. Heredoc should not be used in start-tor-browser script.
Next by Author: Re: [tor-bugs] #25729 [Core Tor/Tor]: UTF8 encoded TORRC does NOT parse non-Latin paths
Previous by thread: Re: [tor-bugs] #27320 [Applications/Tor Browser]: Build certutil for Windows
Next by thread: Re: [tor-bugs] #27984 [Obfuscation/BridgeDB]: bridgedb verifyHostname doesn't check subjectAltName extension
Index(es):
- Author
- Thread