b3b
commented
2 years ago Quite a comprehensive test suite, good work!
It seems there is an issue with Tempesta and/or test suite configuration (see a comment) and a test for
http_host_requriedis required.I missed the questions from #212 (comment) , so I reply here:
- does RFC (which one BTW?) allow capital letters in SAN and SNI? If yes, then a new issue should be created for Tempesta FW (can be aggregated with #1688 since the same code is going to be )
- definitely a new issue (can be aggregated with #1688 since the same code is going to be updated)
- definitely a new issue (can be aggregated with #1688 since the same code is going to be updated)
- I don't thing this an issue, but the referenced link, as well as the case iteself, is interesting and should be added to the appropriate test comment
- Does RFC really allows any character for SNI and SAN? What development community, like mozilla, chrome and openssl write about this? In my opinion this may lead to severe problems, including security, not just broken logging. If we really need to support all characters in the range 0-255, then yes, it makes sense to fix the logger (also as part of #1688)
- also a minor bug for #1688
Please mask all the failing tests.
-
Capital letters are allowed in SAN and SNI. According to RFC6066 Section 3. Server Name Indication:
- "The hostname is represented as a byte string using ASCII encoding without a trailing dot."
- "DNS hostnames are case-insensitive."
-
RFC6066 and related RFCs do not restrict SNI characters. But pehaps it is worth to restrict names according to DNS Preferred name syntax, and allow only [a-zA-Z0-9-] characters separated by dots. Related discussion in the OpenSSL project: https://github.com/openssl/openssl/issues/12566
Tests for #212 . All tests should pass for the current Tempesta FW version.
Changes to the framework:
CertGneratorfield:san- Subject Alternative Name extensionDmesgFindermethod:warn_match- get list of occurrences of given string in system log.