Project

General

Profile

Bug #8275

Input validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected

Added by Mahmoud Al-Qudsi 9 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Certificates
Target version:
Start date:
01/12/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

As we're all aware, changes to how Chrome (and possibly other browsers in the future) disregard the common name field of an SSL certificate are making specifying correct SAN records in generated SSL certificates more important.

In pfSense, an IP address entered as a SAN on the certificate generation page results in an incorrect SAN record in the resulting certificate with the IP address understood as a FQDN/hostname rather than an IP. The final ssl cert SAN record ends up looking like "DNS Name=192.168.42.1" instead of "IP=192.168.42.1".

pfSense should parse the contents of the SAN fields submitted by the user and specify the correct SAN type during certificate generation. Hostnames and FQDNs should continue to use the DNS SAN record type, but IP addresses (obligatory "remember to include IPv6 parsing" reminder) should use the IP=a.b.c.d record type instead.

Incorrectly generated IP SAN.png (11.8 KB) Incorrectly generated IP SAN.png How pfSense currently sets SAN with an IP value Mahmoud Al-Qudsi, 01/12/2018 01:23 PM
Correctly generated IP SAN.png (28.4 KB) Correctly generated IP SAN.png Correct SAN ip address configuration Mahmoud Al-Qudsi, 01/12/2018 01:23 PM

Associated revisions

Revision 19a1cf34 (diff)
Added by Jim Pingle 9 months ago

Fix certificate SAN input validation so it does not improperly allow an IP address when FQDN is selected. Fixes #8275

Revision 6314fbba (diff)
Added by Jim Pingle 9 months ago

Fix certificate SAN input validation so it does not improperly allow an IP address when FQDN is selected. Fixes #8275

(cherry picked from commit 19a1cf348b07dbaf8fe4d81b8cfc8292b61fd8c3)

Revision 6a95ae60 (diff)
Added by Jim Pingle 9 months ago

Fix certificate SAN input validation so it does not improperly allow an IP address when FQDN is selected. Fixes #8275

(cherry picked from commit 19a1cf348b07dbaf8fe4d81b8cfc8292b61fd8c3)

Revision c8c7b243 (diff)
Added by Jim Pingle 9 months ago

Fix certificate SAN input validation so it does not improperly allow an IP address when FQDN is selected. Fixes #8275

(cherry picked from commit 19a1cf348b07dbaf8fe4d81b8cfc8292b61fd8c3)

History

#1 Updated by Jim Pingle 9 months ago

  • Subject changed from Certificate SAN (Subject Alternative Name) generated incorrectly for IP addresses to Input validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected
  • Assignee set to Jim Pingle
  • Priority changed from Normal to Very Low
  • Affected Version set to All

The user specifies the SAN type when making entries in the SAN list. If you choose "IP Address" it makes proper entries.

The only case for a bug here is that input validation doesn't reject an IP address made using the "FQDN or Hostname" selection.

You can work around your issue by properly selecting "IP Address" for the Type field in the Alternative Names list when creating a certificate.

#2 Updated by Jim Pingle 9 months ago

  • Target version set to 2.4.3
  • Affected Architecture set to All

#3 Updated by Mahmoud Al-Qudsi 9 months ago

I'm sorry, I completely missed that there's a dropdown that can be used to specify the record type.

#4 Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#5 Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Resolved

Input validation works properly now, an IP address is rejected when FQDN is selected.

Also available in: Atom PDF