Project

General

Profile

Actions
Copy link

Feature #7849

closed

trusted_hosts should determine hostname from certificate CN on SSL requests

Added by Dominic Cleal about 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
1.8.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/smart-proxy/pull/246
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

trusted_hosts is based on reverse DNS, but when requests come in over HTTPS, the CN should be parsed from the certificate's DN and used for comparison against the trusted hosts list.

Related issues 3 (1 open2 closed)

Related to Smart Proxy - Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requestsClosedDominic Cleal10/06/2014Actions
Related to Smart Proxy - Bug #9919: trusted host test can hang during DNS lookupClosedDominic Cleal03/27/2015Actions
Related to Smart Proxy - Feature #11039: Support more specific authorization of wildcard certificatesNew07/07/2015Actions
Actions
Copy link
 #1

Updated by Dominic Cleal about 10 years ago

  • Related to Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests added
Actions
Copy link
 #3

Updated by Dominic Cleal about 10 years ago

  • Target version set to 1.7.2
Actions
Copy link
 #4

Updated by Dominic Cleal about 10 years ago

  • Translation missing: en.field_release deleted (21)
Actions
Copy link
 #5

Updated by Lukas Zapletal about 10 years ago

Markus, are you able to file a pull request? If not, I am going to take from this point. Thanks!

Actions
Copy link
 #6

Updated by Markus Frosch about 10 years ago

I didn't have the time yet, if you have, take over ;)

Please see my branch mentioned above.

This should validate the CN against the trusted_host list.

IMHO we don't need any hostname / ptr lookup.

Actions
Copy link
 #7

Updated by Dominic Cleal about 10 years ago

I think we require the DNS lookup for HTTP requests, but should only use the DN parsing for HTTPS requests.

Actions
Copy link
 #8

Updated by Markus Frosch almost 10 years ago

Finally(!!) had the time to work on the thing.

Result is here: https://github.com/lazyfrosch/smart-proxy/tree/feature/trusted_hosts-CN-7849

Should I open a PR or should we take care about additional tests?

I'm not sure how the test suite works though.

Actions
Copy link
 #9

Updated by Dominic Cleal almost 10 years ago

Nice, please do open a pull request and we can get it merged then. (Plus Jenkins will run the test suite for us.)

Adding new tests to test/sinatra/trusted_hosts_test.rb is probably best, but we can help with that in the PR if you're unsure.

Actions
Copy link
 #11

Updated by Anonymous almost 10 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/246 added
  • Pull request deleted ()
Actions
Copy link
 #12

Updated by Dominic Cleal almost 10 years ago

  • Translation missing: en.field_release set to 28
Actions
Copy link
 #13

Updated by Markus Frosch almost 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #14

Updated by Dominic Cleal over 9 years ago

  • Related to Bug #9919: trusted host test can hang during DNS lookup added
Actions
Copy link
 #15

Updated by Anonymous over 9 years ago

  • Related to Feature #11039: Support more specific authorization of wildcard certificates added
Actions
Copy link

Also available in: Atom PDF