Bug #8275
closedInput validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected
100%
Description
As we're all aware, changes to how Chrome (and possibly other browsers in the future) disregard the common name field of an SSL certificate are making specifying correct SAN records in generated SSL certificates more important.
In pfSense, an IP address entered as a SAN on the certificate generation page results in an incorrect SAN record in the resulting certificate with the IP address understood as a FQDN/hostname rather than an IP. The final ssl cert SAN record ends up looking like "DNS Name=192.168.42.1" instead of "IP=192.168.42.1".
pfSense should parse the contents of the SAN fields submitted by the user and specify the correct SAN type during certificate generation. Hostnames and FQDNs should continue to use the DNS SAN record type, but IP addresses (obligatory "remember to include IPv6 parsing" reminder) should use the IP=a.b.c.d record type instead.
Files
Updated by Jim Pingle almost 7 years ago
- Subject changed from Certificate SAN (Subject Alternative Name) generated incorrectly for IP addresses to Input validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected
- Assignee set to Jim Pingle
- Priority changed from Normal to Very Low
- Affected Version set to All
The user specifies the SAN type when making entries in the SAN list. If you choose "IP Address" it makes proper entries.
The only case for a bug here is that input validation doesn't reject an IP address made using the "FQDN or Hostname" selection.
You can work around your issue by properly selecting "IP Address" for the Type field in the Alternative Names list when creating a certificate.
Updated by Jim Pingle almost 7 years ago
- Target version set to 2.4.3
- Affected Architecture All added
- Affected Architecture deleted (
)
Updated by Mahmoud Al-Qudsi almost 7 years ago
I'm sorry, I completely missed that there's a dropdown that can be used to specify the record type.
Updated by Jim Pingle almost 7 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 19a1cf348b07dbaf8fe4d81b8cfc8292b61fd8c3.
Updated by Jim Pingle over 6 years ago
- Status changed from Feedback to Resolved
Input validation works properly now, an IP address is rejected when FQDN is selected.