Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 1.5.0
Affects Version/s: 1.4.0
Component/s: None
Labels:
None

Confidence Status:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Link:
None
Goal Name(s):
None

Both the openssl1.1 and openssl1.0 codepaths fail verifying certificates that are supposed to match IPv6 ipAddress Subject Alternative Names.

This is because of the inet_pton calls provides AF_INET, and blissfully ignores anything about IPv6.
Its trivially fixed in the OpenSSL 1.1 codepath with seperate lookup, but the OpenSSL 1.0 path is a bit more tricky as it tries to memcmp() the ASN1_STRING_data() results and inet_pton which doesn't seem to be kosher for IPv6.

is related to

CDRIVER-1156 TLS Improved

Development Complete

Assignee:: Hannes Magnusson (Inactive)
Reporter:: Hannes Magnusson (Inactive)
Votes:: 0 Vote for this issue
Watchers:: 1 Start watching this issue

Created:: Aug 23 2016 11:35:41 PM UTC
Updated:: Oct 19 2016 02:15:27 PM UTC
Resolved:: Aug 26 2016 06:26:07 PM UTC
Confidence Status Last Update:: 24/Aug/16 5:28 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates