You are viewing a plain text version of this content. The canonical link for it is here.
Posted to proton@qpid.apache.org by "yanfeng liu (JIRA)" <ji...@apache.org> on 2015/05/24 09:17:17 UTC
[jira] [Created] (PROTON-890) IP type subjectAltName not supported
by verify_callback() in openssl.c
yanfeng liu created PROTON-890:
----------------------------------
Summary: IP type subjectAltName not supported by verify_callback() in openssl.c
Key: PROTON-890
URL: https://issues.apache.org/jira/browse/PROTON-890
Project: Qpid Proton
Issue Type: Improvement
Components: proton-c
Affects Versions: 0.9
Environment: Ubuntu 12.04 x86-64
Reporter: yanfeng liu
Reproducing steps:
1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP address. This works fine since qpid-0.32-cpp samples can handle IP:x.x.x.x type SAN correctly.
3) Run the proton-c messenger sample with the same broker and got erro about SSL3 server certificate verification failure...
By checking the source code of verify_callback() in ssl/openssl.c, we can see only GEN_DNSNAME type is supported. Possibly GEN_IPADD type should added like below:
if (name->type == GEN_IPADD) {
ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
if (asn1 && asn1->data && asn1->length) {
unsigned char *str = (unsigned char *) asn1->data;
char ip[32];
int j=0;
while (j<asn1->length && strlen(ip)<sizeof(ip)) {
if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] );
j++;
}
ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip );
matched = !strncmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname));
}
}
Regards,
yanfeng
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)