[ldns-users] Hostname verification in certificate chain?
Willem Toorop
willem at nlnetlabs.nl
Thu Feb 6 11:20:23 UTC 2020
Hi Jeff,
Indeed, the ldns_dane_verify() and ldns_dane_verify_rr() functions do
not perform server name checks as is also mentioned in the documentation
for the individual functions in dane.h:
/**
* BEWARE! The ldns dane verification functions do *not* do server name
* checks. The user has to perform additional server name checks
* themselves!
*/
and in the doxygen documentation here:
https://nlnetlabs.nl/documentation/ldns/dane_8h.html#a838a1bb630c4d1001fa8612703f80bde
and here:
https://nlnetlabs.nl/documentation/ldns/dane_8h.html#aa3f4dad24e34739b957a54eae36d9131
Kind regards,
-- Willem
Op 05-02-2020 om 18:12 schreef Jeffrey Walton via ldns-users:
> Hi Everyone,
>
> I may be parsing use of X509_verify_cert incorrectly... but it does
> not appear hostname matching and verification is occurring in dane.c.
>
> If I recall correctly... For OpenSSL 1.0.2, you had to manually match
> the server name in the request with hostname in the end entity
> certificate. It made using OpenSSL 1.0.2 a drag. Also see
> https://wiki.openssl.org/index.php/SSL/TLS_Client on the OpenSSL wiki.
>
> For OpenSSL 1.1.x, you use X509_VERIFY_PARAM_set_hostflags and
> X509_check_host to have the library do it. But I don't see a call to
> X509_VERIFY_PARAM_set_hostflags. Also see
> https://wiki.openssl.org/index.php/Hostname_validation on the OpenSSL
> wiki.
>
> Can someone familiar with the OpenSSL code in dane.c please take a look at it.
>
> Lack of hostname verification is a CVE item. If hostname verification
> is not occurring, then that should be listed in the README so folks
> are aware of the risk.
>
> Sorry to bring this up.
>
> Jeff
> _______________________________________________
> ldns-users mailing list
> ldns-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/ldns-users
>
More information about the ldns-users
mailing list