Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OkHostName verifier unable to verify ipv6 addresses #1072

Open
vineethgn opened this issue Jun 6, 2022 · 3 comments
Open

OkHostName verifier unable to verify ipv6 addresses #1072

vineethgn opened this issue Jun 6, 2022 · 3 comments
Assignees
@prbprbprb
Labels
bug

Comments

@vineethgn
Copy link

vineethgn commented Jun 6, 2022
edited
Loading

java -version

openjdk version "11.0.15" 2022-04-19
OpenJDK Runtime Environment (build 11.0.15+10-post-Debian-1deb10u1)
OpenJDK 64-Bit Server VM (build 11.0.15+10-post-Debian-1deb10u1, mixed mode, sharing)

uname- a
Linux example 5.10.104-custom #1 SMP Mon Sep 27 00:00:00 UTC 2010 x86_64 GNU/Linux

Using
conscrypt tag 2.5.0.

We are trying to use conscrypt as ssl provider for kafka and we are getting in to issues while using verify ip address.

In our certificate we have the following ipv6 ip addresses ( its not the real address, but something similar)

IPAddress: 2001:0db8:85a3:1130::0370:7334
IPAddress: 2001:0db8:85a3:1130:0:0:0370:7334
IPAddress: 2001:0db8:85a3:1130:0000:0000:0370:7334

Here in this example, the real ip address of the host is 2001:0db8:85a3:1130:0:0:0370:7334, but when Conscrypt engine's okhostnameverifier, getSubjectAltNames(certificate, ALT_IPA_NAME) returns the three altnames as

below 2001:0db8:85a3:1130::0370:7334 ( and does not return the other two ip addresses one of which also contains the machines ip address ). And because of this and since we are using if (ipAddress.equalsIgnoreCase(altNames.get(i))), in , the ip address verification returns false, resulting in the below exception

javax.net.ssl.SSLHandshakeException: No subjectAltNames on the certificate match

I am looking for what is the best way to verify ip address as subject alt names is returning ip address in only one format ( 2001:0db8:85a3:1130::0370:7334 and not 2001:0db8:85a3:1130:0:0:0370:7334, which is the machines ip address ) and since we use equalsignorecase, it fails even if the ssl certificate contains the correct altnames.

Could some one please help on what would be the best way to verifyIpAddress in okhostname verifier ? Should the certificate need to have a different ip address format so that the verification succeeds ?
@vineethgn
Copy link
Author

I checked this further and this seems to be causing issues where the application ( in my kafka ) was giving ipv6 address without any shortening, where as okhostname verifier was using the shortned ipv6 address. So when

conscrypt/common/src/main/java/org/conscrypt/OkHostnameVerifier.java

Line 102 in 3171d2a

if (ipAddress.equalsIgnoreCase(altNames.get(i))) {
was used, it failed to verify the IP address. For now i am using InetAddress to normalize IP address before verifying and it works !

@davidben
Copy link
Contributor

Note Conscrypt currently has a bug where it reports IPv6 addresses incorrectly. See #938. @prbprbprb FYI

@prbprbprb
Copy link
Collaborator

Sorry, I dropped the ball on this one! Looks like we should update Conscrypt's HostnameVerifier and the one in the Android platform with @yschimke's ipv6 normalisation fixes.

@prbprbprb prbprbprb added the bug label Jan 15, 2023
@prbprbprb prbprbprb self-assigned this Jan 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prbprbprb prbprbprb

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidben @vineethgn @prbprbprb