You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Justin Ross (JIRA)" <ji...@apache.org> on 2016/11/04 22:37:58 UTC

[jira] [Updated] (PROTON-890) adding subjectAltName (IP) support to proton-c 0.9.1

     [ https://issues.apache.org/jira/browse/PROTON-890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Justin Ross updated PROTON-890:
-------------------------------
    Labels: patch  (was: )

> adding subjectAltName (IP) support to proton-c 0.9.1
> ----------------------------------------------------
>
>                 Key: PROTON-890
>                 URL: https://issues.apache.org/jira/browse/PROTON-890
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: proton-c
>    Affects Versions: 0.9
>         Environment: Ubuntu 12.04 x86-64
>            Reporter: yanfeng liu
>            Priority: Minor
>              Labels: patch
>
> Reproducing steps:
> 1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
> 2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP address with trusted_certificate parameter specified. This works fine since qpid-0.32-cpp samples can handle IP:x.x.x.x type SAN correctly.
> 3) Run a proton-c messenger API based sample with the same broker and trusted_certificate and got error about SSL3 server certificate verification failure due to specified server IP in AMQP URL doesn't appear in the SAN DNS of the server certificate. 
> By checking the source code of verify_callback() in ssl/openssl.c, we can see that only GEN_DNSNAME type is supported. With the code fragement below, we can have GEN_IPADD supported as well:
> {code:title=ssl/openssl.c|borderStyle=solid}
>       if (name->type == GEN_IPADD) {
>         ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
>         if (asn1 && asn1->data && asn1->length) {
>           unsigned char *str = (unsigned char *) asn1->data;
>           char ip[32];
>           int j=0;
>           while (j<asn1->length && strlen(ip)<sizeof(ip)) {
>             if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
>             else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] );
>             j++;
>           }
>           ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip );
>           matched = (0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
>         }
>       }
> {code}
> Regards,
> yanfeng
>  
>   



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org