[tor-bugs] #27984 [Obfuscation/BridgeDB]: bridgedb verifyHostname doesn't check subjectAltName extension
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 9 09:58:45 UTC 2018
#27984: bridgedb verifyHostname doesn't check subjectAltName extension
--------------------+--------------------------------------
Reporter: kaie | Owner: sysrqb
Type: defect | Status: new
Priority: Medium | Component: Obfuscation/BridgeDB
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------+--------------------------------------
Currently, bridgedb/crypto.py function verifyHostname uses the
certificate's commonName exclusively to perform a hostname match.
RFC 5280 demands that the presence of the subjectAltName (SAN) extension
is checked, and if present, must be used to perform the hostname check.
verifyHostname should be changed to use subjectAltName. Only fall back to
check common name if SAN is missing.
If an existing, more complete implementation of hostname verification can
be found, it might be preferable to use it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27984>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list