SSL connections from peers with matching wildcard name are always rejected [JIRA: RIAK-1506] #698
Comments
|
If it would be helpful, it sounds as though the customer (see: https://basho.zendesk.com/agent/tickets/10030) would be more than happy to test a patch to verify that the fix resolves their issue. _[posted via JIRA by Justin Pease]_ |
|
Also, worth noting: Customer expectation is that this will be in 2.0.6 (via Nate Gustafson). _[posted via JIRA by Justin Pease]_ |
|
The work for this is complete but is waiting on 2.0.5 release to be merged. riak_core PR: #701 _[posted via JIRA by Douglas Rohrer]_ |
|
Addressed by #701 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At [https://github.com/basho/riak_core/blob/develop/src/riak_core_ssl_util.erl#L189] we perform an exact string comparison on an X.509 certificate's CN and reject all connection attempts if the peer certificate's name matches our own.
The problem arrises when the CN begins with a wildcard, which is not an uncommon practice where pools of hosts are involved. In this case, there are legitimate use cases where the connection's peers may present the same wildcarded certificate, which we reject - even if there's an explicit ACL allowing them.
The code is relatively easy to fix, once we decide how we want to fix it. The easiest path is to make it through the initial test if the CN is a wildcard, allowing the ACL test(s) to be applied. We could also add a configuration flag to allow this specific use case.
Initiated by customer issue [https://basho.zendesk.com/agent/tickets/10030]
[Created in JIRA by Ted Burghart]
The text was updated successfully, but these errors were encountered: