-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify_cert_dns_name appears only to work against subjectAltName #11
Comments
No, that's not it. It's simpler: I just didn't implement the fallback to parsing dNSName and iPAddress out of Subject CNs because I wasn't sure if it was worth doing. This is similar to other things I dropped (compared to mozilla::pkix), such as dropping support for v1 certificates. I don't think I strongly object to the fallback being added back, but I'm not planning to do it myself soon. |
I checked the CAB baseline requirements and subjectAltName is indeed required, so I've decided I also don't care very much. My knowledge of how this all works in about 10 years out of date :) Thanks! 👍 |
OK, I'm closing this. My goal is to avoid the bad stuff, and the Subject CN overloading is pretty bad, so I'm glad to not implement it. |
Thank you very much to everyone who tracked this down! I just discovered that citusdata.com uses CN-only certificates for PostgreSQL databases. These will fail with
Citus was acquired by Microsoft, and it will be shut down early next year. So this isn't necessarily a pressing issue. But these broken certs are still used by major vendors, in at least some cases. (Oh, and I only figured this out because I'm trying to get dbcrossbar running on the new ARM Macs, and this is one of the last issues, AFAICT. Before ARM, we used |
Known issues: - Unit tests appear to hang. - Citus certificates don't work because of briansmith/webpki#11.
I am open to providing not-enabled-by-default support for DNS names in the subject common name field. It would be good for somebody to design the API for people to opt into that. In general we don't have a configuration API in this crate; this would be one of the first bits of configuration. I filed #249 for designing and implementing the base configuration API on top of which we can add configuration such as this. |
Known issues: - Unit tests appear to hang. - Citus certificates don't work because of briansmith/webpki#11.
We switch to `rustls`. Unfortunately, this change sacrifices Citus Data compatibility because of briansmith/webpki#11. It should allow support for M1 Macs and eventually many other platforms, however.
Thank you for looking to this! Since Citus Data has only weeks to live, I'm switching Unfortunately, it's unlikely that we'll be able to work on support for DNS names in the common name field in the foreseeable future. And of course, many thanks for providing very useful TLS support in Rust! |
We switch to `rustls`. Unfortunately, this change sacrifices Citus Data compatibility because of briansmith/webpki#11. It should allow support for M1 Macs and eventually many other platforms, however.
I have the following cert:
I'd expect
verify_cert_dns_name
to say Ok to that for the input "testserver.com", but it saysCertNotValidForName
.Here's a minimal test program:
I think the issue is a missing match of
GeneralName::DirectoryName
in the closure given toiterate_names
.The text was updated successfully, but these errors were encountered: