You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Uri Shachar (JIRA)" <ji...@apache.org> on 2015/05/16 16:13:59 UTC

[jira] [Created] (TS-3608) SSL client code does not validate upstream hostname

Uri Shachar created TS-3608:
-------------------------------

             Summary: SSL client code does not validate upstream hostname
                 Key: TS-3608
                 URL: https://issues.apache.org/jira/browse/TS-3608
             Project: Traffic Server
          Issue Type: Bug
          Components: SSL
            Reporter: Uri Shachar


Our SSL client side certificate validation does not validate that the upstream certificate actually matches the request hostname/IP.

Openssl added a check for this (X509_check_host) in 1.0.2 -- but that version is still far from becoming mainstream (and the implementation there is somewhat overcomplicated for our needs).

Fix is to validate (when client side validation is turned on) according to RFC6125



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)