You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Justin Ross (JIRA)" <ji...@apache.org> on 2016/11/04 22:37:58 UTC
[jira] [Updated] (PROTON-890) adding subjectAltName (IP) support to
proton-c 0.9.1
[ https://issues.apache.org/jira/browse/PROTON-890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Ross updated PROTON-890:
-------------------------------
Labels: patch (was: )
> adding subjectAltName (IP) support to proton-c 0.9.1
> ----------------------------------------------------
>
> Key: PROTON-890
> URL: https://issues.apache.org/jira/browse/PROTON-890
> Project: Qpid Proton
> Issue Type: Improvement
> Components: proton-c
> Affects Versions: 0.9
> Environment: Ubuntu 12.04 x86-64
> Reporter: yanfeng liu
> Priority: Minor
> Labels: patch
>
> Reproducing steps:
> 1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
> 2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP address with trusted_certificate parameter specified. This works fine since qpid-0.32-cpp samples can handle IP:x.x.x.x type SAN correctly.
> 3) Run a proton-c messenger API based sample with the same broker and trusted_certificate and got error about SSL3 server certificate verification failure due to specified server IP in AMQP URL doesn't appear in the SAN DNS of the server certificate.
> By checking the source code of verify_callback() in ssl/openssl.c, we can see that only GEN_DNSNAME type is supported. With the code fragement below, we can have GEN_IPADD supported as well:
> {code:title=ssl/openssl.c|borderStyle=solid}
> if (name->type == GEN_IPADD) {
> ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
> if (asn1 && asn1->data && asn1->length) {
> unsigned char *str = (unsigned char *) asn1->data;
> char ip[32];
> int j=0;
> while (j<asn1->length && strlen(ip)<sizeof(ip)) {
> if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
> else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] );
> j++;
> }
> ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip );
> matched = (0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
> }
> }
> {code}
> Regards,
> yanfeng
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org