Project

General

Profile

Actions

Bug #8275

closed

Input validation for Certificate SAN (Subject Alternative Name) allows IP addresses to be entered when FQDN/Hostname is selected

Added by Mahmoud Al-Qudsi about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Certificates
Target version:
Start date:
01/12/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

As we're all aware, changes to how Chrome (and possibly other browsers in the future) disregard the common name field of an SSL certificate are making specifying correct SAN records in generated SSL certificates more important.

In pfSense, an IP address entered as a SAN on the certificate generation page results in an incorrect SAN record in the resulting certificate with the IP address understood as a FQDN/hostname rather than an IP. The final ssl cert SAN record ends up looking like "DNS Name=192.168.42.1" instead of "IP=192.168.42.1".

pfSense should parse the contents of the SAN fields submitted by the user and specify the correct SAN type during certificate generation. Hostnames and FQDNs should continue to use the DNS SAN record type, but IP addresses (obligatory "remember to include IPv6 parsing" reminder) should use the IP=a.b.c.d record type instead.


Files

Incorrectly generated IP SAN.png (11.8 KB) Incorrectly generated IP SAN.png How pfSense currently sets SAN with an IP value Mahmoud Al-Qudsi, 01/12/2018 01:23 PM
Correctly generated IP SAN.png (28.4 KB) Correctly generated IP SAN.png Correct SAN ip address configuration Mahmoud Al-Qudsi, 01/12/2018 01:23 PM
Actions

Also available in: Atom PDF