Project

General

Profile

Actions

Bug #8275

closed

Input validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected

Added by Mahmoud Al-Qudsi about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Certificates
Target version:
Start date:
01/12/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

As we're all aware, changes to how Chrome (and possibly other browsers in the future) disregard the common name field of an SSL certificate are making specifying correct SAN records in generated SSL certificates more important.

In pfSense, an IP address entered as a SAN on the certificate generation page results in an incorrect SAN record in the resulting certificate with the IP address understood as a FQDN/hostname rather than an IP. The final ssl cert SAN record ends up looking like "DNS Name=192.168.42.1" instead of "IP=192.168.42.1".

pfSense should parse the contents of the SAN fields submitted by the user and specify the correct SAN type during certificate generation. Hostnames and FQDNs should continue to use the DNS SAN record type, but IP addresses (obligatory "remember to include IPv6 parsing" reminder) should use the IP=a.b.c.d record type instead.


Files

Incorrectly generated IP SAN.png (11.8 KB) Incorrectly generated IP SAN.png How pfSense currently sets SAN with an IP value Mahmoud Al-Qudsi, 01/12/2018 01:23 PM
Correctly generated IP SAN.png (28.4 KB) Correctly generated IP SAN.png Correct SAN ip address configuration Mahmoud Al-Qudsi, 01/12/2018 01:23 PM
Actions #1

Updated by Jim Pingle about 6 years ago

  • Subject changed from Certificate SAN (Subject Alternative Name) generated incorrectly for IP addresses to Input validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected
  • Assignee set to Jim Pingle
  • Priority changed from Normal to Very Low
  • Affected Version set to All

The user specifies the SAN type when making entries in the SAN list. If you choose "IP Address" it makes proper entries.

The only case for a bug here is that input validation doesn't reject an IP address made using the "FQDN or Hostname" selection.

You can work around your issue by properly selecting "IP Address" for the Type field in the Alternative Names list when creating a certificate.

Actions #2

Updated by Jim Pingle about 6 years ago

  • Target version set to 2.4.3
  • Affected Architecture All added
  • Affected Architecture deleted ()
Actions #3

Updated by Mahmoud Al-Qudsi about 6 years ago

I'm sorry, I completely missed that there's a dropdown that can be used to specify the record type.

Actions #4

Updated by Jim Pingle about 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle about 6 years ago

  • Status changed from Feedback to Resolved

Input validation works properly now, an IP address is rejected when FQDN is selected.

Actions

Also available in: Atom PDF