Server name check should automatically check IP address SAN #56
Labels
development
Standard development
r&d:polykey:core activity 4
End to End Networking behind Consumer NAT Devices
Comments
19 tasks
|
For PK, this is not a blocker, since we don't rely on IPs necessarily. We rely on custom Node ID verification. However, if we create an HTTP status page, and people expect to be able to contact it from a browser, it would be nice for it work out of the box for localhost or local IPs. Note that at this point it is still a self-signed certificate, and not signed by a public third party CA. That's ok, as the browser will ask once, and then accept it, the browser as a client would not understand the Node ID, but would understand normal verification based on |
CMCDragonkai
added
the
r&d:polykey:core activity 4
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Specification
OpenSSL implementations in nodejs automatically checks for IP SAN when checking the server name. Thus it is then possible to support certificates that are signed for certain IP addresses.
However quiche's boring usage did not activate this, so it completely ignores IP SANs.
In our tests, which we use
localhostand127.0.0.1and::1alot, without this it results in a bunch of TLS verification failures.To get around this, we ended up with
DNSSANs that are127.0.0.1and::1as strings. However this is not correct as there are multiple forms of::1that is valid, and the IP SANs would allow the TLS library to understand it's not just a string match, and instead do an IP equivalence check.This will require an upstream fix, details are here: #53 (comment)
Additional context
js-events) #53 (comment)js-events) #53 (comment)Tasks
The text was updated successfully, but these errors were encountered: