Details
-
Bug
-
Resolution: Done
-
Major - P3
-
1.4.0
-
None
-
None
Description
Both the openssl1.1 and openssl1.0 codepaths fail verifying certificates that are supposed to match IPv6 ipAddress Subject Alternative Names.
This is because of the inet_pton calls provides AF_INET, and blissfully ignores anything about IPv6.
Its trivially fixed in the OpenSSL 1.1 codepath with seperate lookup, but the OpenSSL 1.0 path is a bit more tricky as it tries to memcmp() the ASN1_STRING_data() results and inet_pton which doesn't seem to be kosher for IPv6.
Attachments
Issue Links
- is related to
-
CDRIVER-1156 TLS Improved
-
- Closed
-