Better (?) IP matching scheme for self-signed certs

francoismichel / ssh3

SSH3: faster and rich secure shell using HTTP/3, checkout our article here: https://arxiv.org/abs/2312.08396 and our Internet-Draft: https://datatracker.ietf.org/doc/draft-michel-ssh3/

https://arxiv.org/abs/2312.08396

Apache License 2.0

3.18k stars 81 forks source link

Better (?) IP matching scheme for self-signed certs #138

Closed pg83 closed 2 months ago

pg83 commented 2 months ago

https://github.com/francoismichel/ssh3/blob/main/cmd/ssh3.go#L117

        // If no IP SAN was in the cert, then assume the self-signed cert at least matches the .ssh3 TLD
        if foundSelfsignedSSH3 {
            // Put "ssh3" as ServerName so that the TLS verification can succeed
            // Otherwise, TLS refuses to validate a certificate without IP SANs
            // if the hostname is an IP address.
            tlsConf.ServerName = "selfsigned.ssh3"
        }

May be use IP as surrogate server name substitute there, so one can use DNS:*,DNS:10.0.0.*,DNS:192.168.* (and so on) self-signed certificates?

francoismichel commented 2 months ago

Hi ! I don't think it is possible to use wildcards in IP certificates. That means that DNS:* won't match IP addresses, only domain names IIRC. This is why I'm using a specific, domain name right now: it is a way to provide a wildcard cert for IP addresses. If no cert matches the exact IP address but a certificate containing the selfsigned.ssh3 server name is found in the known hosts, use that one, and that works with any IP address.

But if somehow it is possible to use wildcards in IP SANs of x509, I would love to change all that to what you're proposing.