Skip to content

Fix for peer cert verify with IP address#10169

Merged
SparkiDev merged 3 commits intowolfSSL:masterfrom
embhorn:zd21565
Apr 13, 2026
Merged

Fix for peer cert verify with IP address#10169
SparkiDev merged 3 commits intowolfSSL:masterfrom
embhorn:zd21565

Conversation

@embhorn
Copy link
Copy Markdown
Member

@embhorn embhorn commented Apr 8, 2026

Description

Issue with checking SAN with IP certs

Fixes zd21565

Testing

Added test cases to test_wolfSSL_X509_check_ip_asc

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@embhorn embhorn self-assigned this Apr 8, 2026
Copilot AI review requested due to automatic review settings April 8, 2026 20:50
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Fixes incorrect peer certificate verification behavior when the reference identity is an IP address by ensuring CN fallback is not used for IP checks (RFC 6125), and adds regression tests covering CN-only IP-like subjects.

Changes:

  • Skip Subject CN fallback during hostname verification when the input is an IP address.
  • Add regression tests ensuring CN-only certificates (including wildcard CN) are not accepted for IP verification.
  • Add a sanity check ensuring CN-based matching still works for non-IP hostname verification.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
tests/api/test_ossl_x509.c Adds regression tests for IP verification behavior when SAN is missing and CN looks like an IP/wildcard IP.
src/internal.c Updates hostname verification to avoid CN fallback when verifying IP addresses (RFC 6125 compliance).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/api/test_ossl_x509.c
Comment thread tests/api/test_ossl_x509.c
Comment thread tests/api/test_ossl_x509.c Outdated
Comment thread tests/api/test_ossl_x509.c Outdated
Comment thread tests/api/test_ossl_x509.c Outdated
@embhorn embhorn assigned wolfSSL-Bot and unassigned embhorn Apr 9, 2026
@douzzer douzzer self-requested a review April 9, 2026 17:40
dgarske
dgarske reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: APPROVE
Findings: 1 total — 1 posted, 0 skipped

Posted findings

  • [Medium] No IPv6 regression test for IP-in-CN bypasstests/api/test_ossl_x509.c:1063-1223

Review generated by Skoll via openclaw

Comment thread tests/api/test_ossl_x509.c
@douzzer douzzer mentioned this pull request Apr 9, 2026
Open
@ColtonWilley
Copy link
Copy Markdown
Contributor

ColtonWilley commented Apr 10, 2026

Jenkins retest this please

Copilot AI review requested due to automatic review settings April 10, 2026 18:47
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 7 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/internal.c
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10169

Scan targets checked: wolfssl-bugs, wolfssl-compliance, wolfssl-consttime, wolfssl-defaults, wolfssl-mutation, wolfssl-proptest, wolfssl-src, wolfssl-zeroize

No new issues found in the changed files. ✅

@embhorn embhorn removed their assignment Apr 13, 2026
@embhorn embhorn requested a review from dgarske April 13, 2026 19:54
@SparkiDev SparkiDev merged commit 649a32f into wolfSSL:master Apr 13, 2026
426 of 434 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@dgarske dgarske dgarske approved these changes

@SparkiDev SparkiDev SparkiDev approved these changes

@douzzer douzzer Awaiting requested review from douzzer

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@embhorn @ColtonWilley @dgarske @SparkiDev @wolfSSL-Fenrir-bot @wolfSSL-Bot