[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #27984 [Obfuscation/BridgeDB]: bridgedb verifyHostname doesn't check subjectAltName extension
#27984: bridgedb verifyHostname doesn't check subjectAltName extension
--------------------+--------------------------------------
Reporter: kaie | Owner: sysrqb
Type: defect | Status: new
Priority: Medium | Component: Obfuscation/BridgeDB
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------+--------------------------------------
Currently, bridgedb/crypto.py function verifyHostname uses the
certificate's commonName exclusively to perform a hostname match.
RFC 5280 demands that the presence of the subjectAltName (SAN) extension
is checked, and if present, must be used to perform the hostname check.
verifyHostname should be changed to use subjectAltName. Only fall back to
check common name if SAN is missing.
If an existing, more complete implementation of hostname verification can
be found, it might be preferable to use it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27984>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs