[TS-3608] SSL client code does not validate upstream hostname - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.0.0
Component/s: SSL
Labels:
- yahoo

Description

Our SSL client side certificate validation does not validate that the upstream certificate actually matches the request hostname/IP.

Openssl added a check for this (X509_check_host) in 1.0.2 – but that version is still far from becoming mainstream (and the implementation there is somewhat overcomplicated for our needs).

Fix is to validate (when client side validation is turned on) according to RFC6125

Attachments

Activity

People

Assignee:: Uri Shachar

Reporter:: Uri Shachar

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 16/May/15 14:13

Updated:: 04/Feb/16 18:55

Resolved:: 16/May/15 14:24