[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Rob Crittenden
rcritten at redhat.com
Fri Oct 9 13:10:17 UTC 2015
Christian Heimes wrote:
> On 2015-10-09 13:21, Jan Orel wrote:
>> Hello,
>>
>> this patch removes (IMHO) redundat check in cert_show, which fails when
>> host tries to re-submit certificate of different host/service which he
>> can manage.
>>
>> I also reported the bug here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1269089
>>
>> I tired to run the tests as well and it doesn't seem to break anything.
>> Any feedpack appriciated.
>
> Jan Cholasta, you implemented the check in 2011. What purpose does it have?
>
> hostname == CN has been deprecated by RFC 2818 for some time, see
> https://tools.ietf.org/html/rfc2818#section-3.1 The current check is
> also not sufficient to prevent forgery. Browsers and modern TLS
> libraries completely ignore CN when a dNSName SAN extension is present.
He just tweaked a pylint error, I did this code.
The check isn't perfect (by far) but I don't think forgery is an issue.
We're talking about retrieving a public cert, not doing a handshake.
I think checking just the common name is ok because of the way IPA
issues server certs. I'm not sure if SAN would even come into play in
the case of checking this ACL.
The only way I see this as being a problem is if a new profile is
created for issuing server certs where the CN of the target host isn't
in the subject.
rob
More information about the Freeipa-devel
mailing list