search

nabla-c0d3 / sslyze

Fast and powerful SSL/TLS scanning library.
GNU Affero General Public License v3.0
3.25k stars 450 forks source link

Add IP Address SAN to Certificates Information #544

Closed babelr closed 1 year ago

babelr commented 2 years ago

Is your feature request related to a problem? Please describe. We're using a PKI Solution in our company and I'm testing installed certificates with sslyze to verify it's proper installation on servers. We are using not only DNS Subject Alternative Names, but also IP Address Subject Alternative Names. Unfortunately when testing the server either with --certinfo or --regular I only get to see the DNS Subject Alternative Names. Furthermore, when I test against the IP Address of the Server, the Hostname Validation fails, which shouldn't be the case.

Describe the solution you'd like I would like to see the "IP Address SAN" Information of the tested certificate, and a successful hostname validation when targeting the server by its IP Address. Eg.: sslyze --regular --certinfo_ca_file my-root.pem server.domain:443

 * Certificates Information:
   Hostname sent for SNI:             server.domain
   Number of certificates detected:   1

 Certificate #0 ( _RSAPublicKey )
   SHA1 Fingerprint:                  50766e1c18436323bd57d9f854e498f3671bdccc
   Common Name:                       server.domain
   Issuer:                            My Issuing CA
   Serial Number:                     2185473029123456789074175114908454567893256470
   Not Before:                        2021-11-04
   Not After:                         2023-11-04
   Public Key Algorithm:              _RSAPublicKey
   Signature Algorithm:               sha256
   Key Size:                          2048
   Exponent:                          65537
   DNS Subject Alternative Names:     ['server', 'server.domain']
   IP Subject Alternative Names:      ['192.168.1.10']     <- This is what I would like to see

Also in the testresults, when I run this command: sslyze --regular --certinfo_ca_file my-root.pem 192.168.1.10:443

  Certificate #0 - Trust
    Hostname Validation:               FAILED - Certificate does NOT match server hostname    <- This shouldn't fail

Describe alternatives you've considered My alternative is to open up a webbrowser and manually inspect the certificate

Thanks and cheers Rene

gattjoe commented 2 years ago

I submitted a PR here to add this functionality

nabla-c0d3 commented 1 year ago

Released as part of v5.1.0