Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
proton-0.9
-
Ubuntu 12.04 x86-64
Description
Reproducing steps:
1) Run a broker with qpidd-cpp-0.32 runs SSL using a server certificate that has IP type SAN like IP:192.168.164.130,IP:127.0.0.1 etc.
2) Run a qpid-0.32-cpp sample using SSL to connect to one of the broker's IP address with trusted_certificate parameter specified. This works fine since qpid-0.32-cpp samples can handle IP:x.x.x.x type SAN correctly.
3) Run a proton-c messenger API based sample with the same broker and trusted_certificate and got error about SSL3 server certificate verification failure due to specified server IP in AMQP URL doesn't appear in the SAN DNS of the server certificate.
By checking the source code of verify_callback() in ssl/openssl.c, we can see that only GEN_DNSNAME type is supported. With the code fragement below, we can have GEN_IPADD supported as well:
if (name->type == GEN_IPADD) {
ASN1_OCTET_STRING *asn1 = name->d.iPAddress;
if (asn1 && asn1->data && asn1->length) {
unsigned char *str = (unsigned char *) asn1->data;
char ip[32];
int j=0;
while (j<asn1->length && strlen(ip)<sizeof(ip)) {
if (j==0) snprintf( ip, sizeof(ip), "%d" , str[j] );
else snprintf( ip+strlen(ip), sizeof(ip)-strlen(ip),".%d",str[j] );
j++;
}
ssl_log(transport, "SubjectAltName (ip) from peer cert = '%s'", ip );
matched = (0==strcmp(ssl->peer_hostname,ip,strlen(ssl->peer_hostname)));
}
}
Regards,
yanfeng