Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
4.5.2
-
None
Description
1. Matching commonName in case sensitive manner when wildcard presents
(violation of RFC 6125 and RFC 5280)
HttpClient matches certificate commonName in the case sensitive manner
when there is a wildcard presents in the certificate commonName, for
example, given commonName as "*.google.com", HttpClient matches
"foo.google.com", it however does not match "foo.Google.com". We found
that this behavior is inconsistent with section 6.4.4 of RFC 6125
specification – "If the client chooses to compare a reference
identifier of type CN-ID against that string, it MUST follow the
comparison rules for the DNS domain name portion of an identifier of
type DNS-ID, SRV-ID, or URI-ID". Note that matching DNS-ID, SRV-ID and
URI-ID all are in case insensitive manner (RFC 5280).
Testing certificate attached: s_google_com.pem
Testing hostname: foo.Google.com
Expected behavior: match
2. Attempting to match commonName when SubjectAltName identifier presents
Section 6.3 of RFC 6125 prohibits clients from attempting to match
certificate CN if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the
client. We found that HttpClient violates this requirement as it
attempts to match CN even when there is a subjectAltName identifier
presents e.g., IP address. However, the library does not attempt to
match certificate CN when certificate subjectAltName DNS presents.
Testing certificate attached: 1_1_1_1.pem
Testing hostname: dummy-value.com
Expected behavior: no match
Credit:
Suphannee Sivakorn
George Argyros
Kexin Pei
Prof. Suman Jana