noxxi / p5-io-socket-ssl

IO::Socket::SSL Perl Module
36 stars 60 forks source link

IPv6 iPAddress subjectAltName verification fails without SSL_verifycn_name #123

Closed rhansen closed 1 year ago

rhansen commented 1 year ago

Starting with version 2.078 (I think, see #121), if SSL_verifycn_name is not set, host name verification of an IPv6 literal PeerAddr (such as "::1") fails even if the subjectAltName contains an iPAddress entry with that address. An IPv4 literal PeerAddr (such as "127.0.0.1") validates successfully without setting SSL_verifycn_name (assuming the IPv4 address is in SAN), so this seems to be specific to IPv6. Maybe the IPv6 behavior is intentional; if so, shouldn't the IPv4 behavior be changed to match?

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028849 for additional context.

I'll write a MWE upon request.

noxxi commented 1 year ago

Thanks for reporting. Problem was a wrong extraction of the IPv6 address for verification from PeerAddr. This is fixed in 2.079 2681d9d.