search

bclzvs / serf

Automatically exported from code.google.com/p/serf
0 stars 0 forks source link

serf is oblivious of SSL extensions such as Subject Alternative Name (SAN) #56

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. compile subversion with serf (only)
2. connect to a site that uses a SAN certificate (
https://scm.brainsware.org/svn/srcedit/trunk/src/ )
n.b.: The the certificate's CN is mail.brainsware.org, but it includes a
number of SANs: DNS:mail.brainsware.org, DNS:www.mail.brainsware.org,
DNS:ftp.brainsware.org, DNS:scm.brainsware.org,
DNS:roscm.esotericsystems.at, DNS:mail.esotericsystems.at

The output from svn for the above example is:

i.galic@pheme /etc/bw (svn)-[bw:243] % sudo svn st -u
Error validating server certificate for 'https://scm.brainsware.org':
 - The certificate hostname does not match.
Certificate information:
 - Hostname: mail.brainsware.org
 - Valid: from May 12 19:02:32 2010 GMT until Apr 30 21:54:12 2012 GMT
 - Issuer: http://certificates.godaddy.com/repository, GoDaddy.com, Inc.,
Scottsdale, Arizona, US ((null))
 - Fingerprint: 3A:AE:5E:95:A9:2E:BC:83:B5:96:0F:AC:F6:76:50:0B:E0:79:48:7F
(R)eject or accept (t)emporarily?

OS:
Linux panic 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64 GNU/Linux
Serf version: 0.3.1, compiled against the systems OpenSSL (0.9.8n-1)

In order for this to work, serf would have to iterate over the available
SANs (DNS, IPs, and or other stuff).

Original issue reported on code.google.com by i.ga...@brainsware.org on 12 May 2010 at 9:46

GoogleCodeExporter commented 9 years ago 
Most other libraries refer to this TLS feature as SNI "Server Name Indication".

This feature is supported in later OpenSSL 0.9.8 versions via a compiletime 
flag and by default enabled in OpenSSL 1.0.0.
(Neon automatically enables SNI when it find support in openssl during 
compilation)

Original comment by b...@qqmail.nl on 25 Jun 2011 at 12:02

GoogleCodeExporter commented 9 years ago 
These are actually two different (but related) items.

SAN checks added to serf r1509; SNI added in r1508.

ra_serf can now use both of these items r1139573 (SAN) and r1139566 (SNI).

host validation with svn trunk and serf trunk against scm.brainsware.org now 
pass successfully w/o a warning.

Original comment by justin.e...@gmail.com on 25 Jun 2011 at 5:26