Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-1490

Certificate SAN ipAddress for IPv6 fails

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 1.5.0
    • Affects Version/s: 1.4.0
    • Component/s: None
    • None

      Both the openssl1.1 and openssl1.0 codepaths fail verifying certificates that are supposed to match IPv6 ipAddress Subject Alternative Names.

      This is because of the inet_pton calls provides AF_INET, and blissfully ignores anything about IPv6.
      Its trivially fixed in the OpenSSL 1.1 codepath with seperate lookup, but the OpenSSL 1.0 path is a bit more tricky as it tries to memcmp() the ASN1_STRING_data() results and inet_pton which doesn't seem to be kosher for IPv6.

            Assignee:
            bjori Hannes Magnusson
            Reporter:
            bjori Hannes Magnusson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: