You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Uri Shachar (JIRA)" <ji...@apache.org> on 2015/05/16 16:13:59 UTC
[jira] [Created] (TS-3608) SSL client code does not validate
upstream hostname
Uri Shachar created TS-3608:
-------------------------------
Summary: SSL client code does not validate upstream hostname
Key: TS-3608
URL: https://issues.apache.org/jira/browse/TS-3608
Project: Traffic Server
Issue Type: Bug
Components: SSL
Reporter: Uri Shachar
Our SSL client side certificate validation does not validate that the upstream certificate actually matches the request hostname/IP.
Openssl added a check for this (X509_check_host) in 1.0.2 -- but that version is still far from becoming mainstream (and the implementation there is somewhat overcomplicated for our needs).
Fix is to validate (when client side validation is turned on) according to RFC6125
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)