Tonight, I spent a few hours implementing RFC5952: https://github.com/colmmacc/s2n/commit/4e7d2424b059b1350353fbb95c251d5ff024535e … ... because it turns out that there's no portable way to be sure that IPv6 strings will be in a canonical format. How is that not fixed in 2019? Crazy! Exact-match is needed in many applications.
-
Show this thread
-
Replying to @colmmacc
Why do you need inet_ntop to verify an IPv6 SAN? The address is stored as 16 octets so verification should just be a memcmp.
1 reply 0 retweets 0 likes -
Replying to @__agwa
We have an existing verify_host callback fn that a s2n caller can set. It takes a string as an argument, so we have to turn the 16 octets into a string for that function. I want to make sure that the format is always canonicalized and the callback will work the same everywhere.
1 reply 0 retweets 1 like -
Replying to @colmmacc
Why not new callbacks verify_ip and verify_ipv6 that take in_addr and in6_addr arguments? It seems generally better for security to keep things as strongly-typed as possible instead of coercing everything to a string.
1 reply 0 retweets 1 like -
Also, a single callback means an IP will be validated if it's in a DNS SAN. That has finally been eradicated from the WebPKI, and it would be a shame to see it facilitated in private PKIs, as it puts pressure on other validators to also be lax, when the trend is to be stricter.
1 reply 0 retweets 1 like -
Replying to @BRIAN_____ @colmmacc
This doesn't appear to be the case with s2n's SAN parser, however; here's a test case to make sure "127.0.0.1" gets passed to the callback when it's in a DNS SAN: https://github.com/awslabs/s2n/blob/e7def58f81e67ccc89e2f1db1b4088482ea2eeb2/tests/unit/s2n_x509_validator_test.c#L622-L656 …
1 reply 0 retweets 0 likes
That can't be changed without breaking backwards compat, so new callbacks are needed for IP SANs so an application that wants to be strict can be.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.