Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

subject alternative names not respected by tls.checkServerIdentity #9639

Closed
richardbann opened this issue Nov 16, 2016 · 3 comments
Closed
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@richardbann
Copy link

The tls.checkServerIdentity (https://github.com/nodejs/node/blob/master/lib/tls.js#L144) function assumes that subject alternative names can be accessed as cert.subjectaltname. Tests also use this: https://github.com/nodejs/node/blob/master/test/parallel/test-tls-check-server-identity.js#L59

At the same time the certificate object looks like something like this (as reported by tls.connect):

{
  subject: {
    CN: 'server',
    subjectAltName: 'DNS.1=localhost,DNS.2=vertis.com'
  },
  issuer: { CN: 'server-ca' },
  modulus: 'BF6E...',
  exponent: '0x10001',
  valid_from: 'Nov 16 13:36:31 2016 GMT',
  valid_to: 'Mar 31 13:36:31 2018 GMT',
  fingerprint: 'D1:9D:36:92:A6:E8:6D:80:48:89:FF:CA:73:1D:76:4F:C7:73:0B:1C',
  serialNumber: 'E70DDB6FE3209190',
  raw: <Buffer 30 82 02 ...>
}

This way the alt names will never be respected.

@mscdex mscdex added the tls Issues and PRs related to the tls subsystem. label Nov 16, 2016
@mscdex
Copy link
Contributor

mscdex commented Nov 16, 2016

/cc @indutny

@bnoordhuis
Copy link
Member

Please post a standalone test case. I'm highly skeptical that this bug report is correct. To illustrate:

$ node-v6.9.1-linux-x64/bin/node -e \
'tls.connect({host:"google.com",port:443}, function() { console.log(this.getPeerCertificate()) })'
{ subject: 
   { C: 'US',
     ST: 'California',
     L: 'Mountain View',
     O: 'Google Inc',
     CN: '*.google.com' },
  issuer: { C: 'US', O: 'Google Inc', CN: 'Google Internet Authority G2' },
  subjectaltname: 'DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:policy.mta-sts.google.com, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com',
  infoAccess: 
   { 'CA Issuers - URI': [ 'http://pki.google.com/GIAG2.crt' ],
     'OCSP - URI': [ 'http://clients1.google.com/ocsp' ] },
  modulus: 'B7BA52E92F994C35FDB460514F133BC1C6C7F73DFE0344DF1B430AC53CB09D7BE21724B0D9F7F4F10A46ECD94194F4962E5076B502063AEBADBC75B914FA3867E21EE6D277D30C5B885F626E4978DE0F39C2210CD17CFEC400BB6281FA59B60E3FC06A3A1B4E709C23634312CE0743F1864E8443675862BCB941324D5E6E9F5FBF3D32E81BFFA88FB5EFC31A70F9798931C8A1BB1CB95B72FFB0CBE85B0D1985B24897384D0D0C23C867156229E2252D454B6D9674231880B7C213ADC15E37634B93F88E403E0E009C9B3F2678C7AF41EDA6982D954944C1BEFF668704DCF7AD65F43687337A532D12D3BCE01CCB5A0DF0CDC0BBD8306F9A33AC1CC17C7939B3',
  exponent: '0x10001',
  valid_from: 'Nov  3 01:49:41 2016 GMT',
  valid_to: 'Jan 26 01:13:00 2017 GMT',
  fingerprint: 'E5:6D:C5:F8:C4:6E:B2:4B:04:23:14:A1:71:06:BB:B0:A5:61:9E:1B',
  ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
  serialNumber: '05E620829390402C',

@richardbann
Copy link
Author

Thank you for helping me figure this out. This was caused by an invalid certificate. The issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

No branches or pull requests

3 participants