Tonight, I spent a few hours implementing RFC5952: https://github.com/colmmacc/s2n/commit/4e7d2424b059b1350353fbb95c251d5ff024535e … ... because it turns out that there's no portable way to be sure that IPv6 strings will be in a canonical format. How is that not fixed in 2019? Crazy! Exact-match is needed in many applications.
-
Show this thread
-
Replying to @colmmacc
Why do you need inet_ntop to verify an IPv6 SAN? The address is stored as 16 octets so verification should just be a memcmp.
1 reply 0 retweets 0 likes -
Replying to @__agwa
We have an existing verify_host callback fn that a s2n caller can set. It takes a string as an argument, so we have to turn the 16 octets into a string for that function. I want to make sure that the format is always canonicalized and the callback will work the same everywhere.
1 reply 0 retweets 1 like -
Replying to @colmmacc
Why not new callbacks verify_ip and verify_ipv6 that take in_addr and in6_addr arguments? It seems generally better for security to keep things as strongly-typed as possible instead of coercing everything to a string.
1 reply 0 retweets 1 like -
Also, a single callback means an IP will be validated if it's in a DNS SAN. That has finally been eradicated from the WebPKI, and it would be a shame to see it facilitated in private PKIs, as it puts pressure on other validators to also be lax, when the trend is to be stricter.
1 reply 0 retweets 1 like
We might add new ones, but we can't change the old one for back-compat reasons :)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.