Project

General

Profile

Feature #7849

trusted_hosts should determine hostname from certificate CN on SSL requests

Added by Dominic Cleal about 6 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

trusted_hosts is based on reverse DNS, but when requests come in over HTTPS, the CN should be parsed from the certificate's DN and used for comparison against the trusted hosts list.


Related issues

Related to Smart Proxy - Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requestsClosed2014-10-06
Related to Smart Proxy - Bug #9919: trusted host test can hang during DNS lookupClosed2015-03-27
Related to Smart Proxy - Feature #11039: Support more specific authorization of wildcard certificatesNew2015-07-07

Associated revisions

Revision 30aff66f (diff)
Added by Markus Frosch almost 6 years ago

Fixes #7849 - re-factor trusted_hosts handling

On HTTPS we will get the FQDN from the client certificate and check against the
list.

While on HTTP we will perform both reverse DNS and forward DNS lookup to verify
the client may talk to us.

Additionally the forward_verify of DNS can be disabled.

Revision e1bc928e (diff)
Added by Markus Frosch almost 6 years ago

Refs #7849 - Avoid OpenSSL deprecation

deprecated openssl/x509 use: require "openssl" instead of "openssl/x509"

History

#1 Updated by Dominic Cleal about 6 years ago

  • Related to Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests added

#3 Updated by Dominic Cleal about 6 years ago

  • Target version set to 1.7.2

#4 Updated by Dominic Cleal almost 6 years ago

  • Legacy Backlogs Release (now unused) deleted (21)

#5 Updated by Lukas Zapletal almost 6 years ago

Markus, are you able to file a pull request? If not, I am going to take from this point. Thanks!

#6 Updated by Markus Frosch almost 6 years ago

I didn't have the time yet, if you have, take over ;)

Please see my branch mentioned above.

This should validate the CN against the trusted_host list.

IMHO we don't need any hostname / ptr lookup.

#7 Updated by Dominic Cleal almost 6 years ago

I think we require the DNS lookup for HTTP requests, but should only use the DN parsing for HTTPS requests.

#8 Updated by Markus Frosch almost 6 years ago

Finally(!!) had the time to work on the thing.

Result is here: https://github.com/lazyfrosch/smart-proxy/tree/feature/trusted_hosts-CN-7849

Should I open a PR or should we take care about additional tests?

I'm not sure how the test suite works though.

#9 Updated by Dominic Cleal almost 6 years ago

Nice, please do open a pull request and we can get it merged then. (Plus Jenkins will run the test suite for us.)

Adding new tests to test/sinatra/trusted_hosts_test.rb is probably best, but we can help with that in the PR if you're unsure.

#11 Updated by Anonymous almost 6 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/246 added
  • Pull request deleted ()

#12 Updated by Dominic Cleal almost 6 years ago

  • Legacy Backlogs Release (now unused) set to 28

#13 Updated by Markus Frosch almost 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#14 Updated by Dominic Cleal over 5 years ago

  • Related to Bug #9919: trusted host test can hang during DNS lookup added

#15 Updated by Anonymous over 5 years ago

  • Related to Feature #11039: Support more specific authorization of wildcard certificates added

Also available in: Atom PDF