Project

General

Profile

Actions

Feature #7849

closed

trusted_hosts should determine hostname from certificate CN on SSL requests

Added by Dominic Cleal over 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

trusted_hosts is based on reverse DNS, but when requests come in over HTTPS, the CN should be parsed from the certificate's DN and used for comparison against the trusted hosts list.


Related issues 3 (1 open2 closed)

Related to Smart Proxy - Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requestsClosedDominic Cleal10/06/2014Actions
Related to Smart Proxy - Bug #9919: trusted host test can hang during DNS lookupClosedDominic Cleal03/27/2015Actions
Related to Smart Proxy - Feature #11039: Support more specific authorization of wildcard certificatesNew07/07/2015Actions
Actions #1

Updated by Dominic Cleal over 9 years ago

  • Related to Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests added
Actions #3

Updated by Dominic Cleal over 9 years ago

  • Target version set to 1.7.2
Actions #4

Updated by Dominic Cleal over 9 years ago

  • translation missing: en.field_release deleted (21)
Actions #5

Updated by Lukas Zapletal over 9 years ago

Markus, are you able to file a pull request? If not, I am going to take from this point. Thanks!

Actions #6

Updated by Markus Frosch over 9 years ago

I didn't have the time yet, if you have, take over ;)

Please see my branch mentioned above.

This should validate the CN against the trusted_host list.

IMHO we don't need any hostname / ptr lookup.

Actions #7

Updated by Dominic Cleal over 9 years ago

I think we require the DNS lookup for HTTP requests, but should only use the DN parsing for HTTPS requests.

Actions #8

Updated by Markus Frosch about 9 years ago

Finally(!!) had the time to work on the thing.

Result is here: https://github.com/lazyfrosch/smart-proxy/tree/feature/trusted_hosts-CN-7849

Should I open a PR or should we take care about additional tests?

I'm not sure how the test suite works though.

Actions #9

Updated by Dominic Cleal about 9 years ago

Nice, please do open a pull request and we can get it merged then. (Plus Jenkins will run the test suite for us.)

Adding new tests to test/sinatra/trusted_hosts_test.rb is probably best, but we can help with that in the PR if you're unsure.

Actions #11

Updated by Anonymous about 9 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/246 added
  • Pull request deleted ()
Actions #12

Updated by Dominic Cleal about 9 years ago

  • translation missing: en.field_release set to 28
Actions #13

Updated by Markus Frosch about 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #14

Updated by Dominic Cleal about 9 years ago

  • Related to Bug #9919: trusted host test can hang during DNS lookup added
Actions #15

Updated by Anonymous over 8 years ago

  • Related to Feature #11039: Support more specific authorization of wildcard certificates added
Actions

Also available in: Atom PDF