Feature #7849
closed
trusted_hosts should determine hostname from certificate CN on SSL requests
Added by Dominic Cleal over 9 years ago.
Updated almost 6 years ago.
Description
trusted_hosts is based on reverse DNS, but when requests come in over HTTPS, the CN should be parsed from the certificate's DN and used for comparison against the trusted hosts list.
- Related to Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests added
- Target version set to 1.7.2
- translation missing: en.field_release deleted (
21)
Markus, are you able to file a pull request? If not, I am going to take from this point. Thanks!
I didn't have the time yet, if you have, take over ;)
Please see my branch mentioned above.
This should validate the CN against the trusted_host list.
IMHO we don't need any hostname / ptr lookup.
I think we require the DNS lookup for HTTP requests, but should only use the DN parsing for HTTPS requests.
Nice, please do open a pull request and we can get it merged then. (Plus Jenkins will run the test suite for us.)
Adding new tests to test/sinatra/trusted_hosts_test.rb is probably best, but we can help with that in the PR if you're unsure.
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/246 added
- Pull request deleted (
- translation missing: en.field_release set to 28
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
- Related to Bug #9919: trusted host test can hang during DNS lookup added
- Related to Feature #11039: Support more specific authorization of wildcard certificates added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by Anonymous