Smalltalk › Cincom › VisualWorks

[7.8] subjectAltName not supported

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Boris Popov, DeepCove Labs (SNN)

[7.8] subjectAltName not supported

Couple of issues are demonstrated by the below in the clean 7.8 image,

1. Default SSL certificate validation block (SSLConnection class>>defaultValidationBlockFactoryValue) attempts to emulate the browser, but doesn’t check subjectAltName extension

2. It is impossible to provide a custom block to address the above, because only the subject field is passed in during validation (SSLSession>>validateCertificateChain:for:)

Parcel loadParcelByName: 'HTTPS'.

ca := (HttpClient get: 'http://test.eonis.net/test.cacert') contents readStream.

X509Registry trustedCertificates addAll: (CertificateFileReader new readFrom: ca).

#('https://test.eonis.net/' 'https://test.eonis.org/' 'https://test.eonis.com/')

do: [:url | HttpClient get: url]

>openssl x509 -text -in eonis.pem | grep Alternative -A 1

X509v3 Subject Alternative Name:

DNS:test.eonis.net, DNS:test.eonis.org, DNS:*.co.uk, DNS:*.com, DNS:*, DirName:/CN=Does your browser believe this bullshit?

Unhandled exception: Certificate Subject Failed Validation !

optimized [] in Security.SSLWarning>>sendIn:as:

BlockClosure>>ifCurtailed:

Security.SSLBadCertificate(Security.SSLWarning)>>sendIn:as:

Security.SSLBadCertificate(Security.SSLException)>>sendIn:

Security.SSLSession>>validateCertificateChain:for:

Security.SSLHandshake>>validateCertificateChain:

Security.SSLRSAKeyExchange>>receiveServerKeyExchange:

Security.SSLCipherSuite>>receiveServerKeyExchange:

Security.SSLSession>>receiveServerKeyExchange:

Security.SSLSession>>connectNew:

Security.SSLSession>>connectHandshake:subjectValidator:

optimized [] in Security.SSLSession>>connect:subjectValidator:

BlockClosure>>on:do:

Security.SSLSession>>connect:subjectValidator:

Security.SSLConnection>>connectSubject:

optimized [] in Net.SSLConnection>>startSSL

BlockClosure>>ifCurtailed:

Net.HttpsConnection(Net.SSLConnection)>>startSSL

Net.HttpsConnection>>openStreamFor:port:timeout:

Net.HttpProtocolInterpreter(Net.NetProtocolInterpreter)>>connectToHost:port:timeout:

Net.HttpProtocolInterpreter>>connect

Net.HttpProtocolInterpreter>>executeRequest:

Net.HttpClient>>privateExecuteRequest

Net.HttpClient>>executeRequestDo:

Net.HttpClient>>executeAndGetResponse

Net.HttpClient>>get:

-Boris

Sr. Software Engineer

DeepCove Labs

4th floor, 595 Howe Street

Vancouver, BC V6C 2T5

Canada

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc