[tor-bugs] #27984 [Obfuscation/BridgeDB]: bridgedb verifyHostname doesn't check subjectAltName extension

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Oct 9 09:58:45 UTC 2018


#27984: bridgedb verifyHostname doesn't check subjectAltName extension
--------------------+--------------------------------------
 Reporter:  kaie    |          Owner:  sysrqb
     Type:  defect  |         Status:  new
 Priority:  Medium  |      Component:  Obfuscation/BridgeDB
  Version:          |       Severity:  Normal
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
 Reviewer:          |        Sponsor:
--------------------+--------------------------------------
 Currently, bridgedb/crypto.py function verifyHostname uses the
 certificate's commonName exclusively to perform a hostname match.

 RFC 5280 demands that the presence of the subjectAltName (SAN) extension
 is checked, and if present, must be used to perform the hostname check.

 verifyHostname should be changed to use subjectAltName. Only fall back to
 check common name if SAN is missing.

 If an existing, more complete implementation of hostname verification can
 be found, it might be preferable to use it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27984>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list