Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rustls is unable to handle TLS certificates with IP addresses in SAN DNS names #257

Open
lucacasonato opened this issue Apr 15, 2022 · 6 comments
Open

Rustls is unable to handle TLS certificates with IP addresses in SAN DNS names #257

lucacasonato opened this issue Apr 15, 2022 · 6 comments

Comments

@lucacasonato
Copy link

Example:

use std::io::BufReader;
use std::io::Cursor;
use webpki::DnsNameRef;

fn main() {
  let cert = br#"
-----BEGIN CERTIFICATE-----
MIIGjjCCBPagAwIBAgIUb+bHc5CRq+HMoqKgLJVpQgk4XcIwDQYJKoZIhvcNAQEM
BQAwOjE4MDYGA1UEAwwvMzBhNjllNTItNTg1Zi00MmQ5LTkwODEtODg0N2Q3YTRj
MzY5IFByb2plY3QgQ0EwHhcNMjIwNDE1MjIwODUxWhcNMjQwNzEzMjIwODUxWjBa
MRAwDgYDVQQIDAdzZXJ2aWNlMS0wKwYDVQQKDCQzMGE2OWU1Mi01ODVmLTQyZDkt
OTA4MS04ODQ3ZDdhNGMzNjkxFzAVBgNVBAMMDmJlZHdhcnMtYXBwLTEwMIIBojAN
BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA5WSnWwJU7D4WX7rqwNwx1zTMZYON
AsOw6gr4sVvNYAEXy3dnQCkdCgBmF8GIrLNU/wF+Wh9LUL89FYpPxOhlgIz6r0X+
mm3lvB6LRtGxwR4fihXgFLxOYwYu3gkd3Ooq81be1k0YwY2X95F02/IcU89V8l0t
eYaxluJG6M+JMRNnKa/bdffjYcgWHslNbxBu1owNRjsl1cj5nd+LFJ9NNZQoxqzP
eH3uMAvoBCoyUtWoTCTwrt9KPYj8RJCFnJvj14Qz+9KFy0rEXg3ZoxBCnSDCfm1I
egtO/AlOGtGhCbrrse2G/miKL7hqZi8y9VTRIlD2mL3mnG4onfaWbYxjlIvqMtU+
4FtBYCv0cV3FZMs+mM+7fZT4e5rsBbZFQiQw8bZnX16xJ53+j21G50VKffMYaJ+H
X8kWDD+8F+LnM+xnbPBRSqDK0X0nZ2u3vCr60FuqeRlGc7LIWn6CvjAF1J8wWEW1
QNgf2fRTcthIHUFJMmBiBZX26X7DPHwSJcbBAgMBAAGjggJqMIICZjAdBgNVHQ4E
FgQUrKIfpWX4XCxxCQJDBqUb3sLTIPIwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAw
ggIrBgNVHREEggIiMIICHoIONDYuMTAxLjIzNi4xMzWCPHB1YmxpYy1iZWR3YXJz
LWFwcC1kby11c2VyLTQ4NTExNDktMC5iLmRiLm9uZGlnaXRhbG9jZWFuLmNvbYJF
cHJpdmF0ZS1yZXBsaWNhLWJlZHdhcnMtYXBwLWRvLXVzZXItNDg1MTE0OS0wLmIu
ZGIub25kaWdpdGFsb2NlYW4uY29tggoxMC4xMTQuMC4ygj1wcml2YXRlLWJlZHdh
cnMtYXBwLWRvLXVzZXItNDg1MTE0OS0wLmIuZGIub25kaWdpdGFsb2NlYW4uY29t
hwQKcgACgj1yZXBsaWNhLWJlZHdhcnMtYXBwLWRvLXVzZXItNDg1MTE0OS0wLmIu
ZGIub25kaWdpdGFsb2NlYW4uY29tghkqLmIuZGIub25kaWdpdGFsb2NlYW4uY29t
gihuLWJlZHdhcnMtYXBwLTEwLmIuZGIub25kaWdpdGFsb2NlYW4uY29tgi9wdWJs
aWMtbi1iZWR3YXJzLWFwcC0xMC5iLmRiLm9uZGlnaXRhbG9jZWFuLmNvbYI1YmVk
d2Fycy1hcHAtZG8tdXNlci00ODUxMTQ5LTAuYi5kYi5vbmRpZ2l0YWxvY2Vhbi5j
b22CRHB1YmxpYy1yZXBsaWNhLWJlZHdhcnMtYXBwLWRvLXVzZXItNDg1MTE0OS0w
LmIuZGIub25kaWdpdGFsb2NlYW4uY29thwQuZeyHMA0GCSqGSIb3DQEBDAUAA4IB
gQAYB9J601i+WBGavpg4LHbUjN+YyIPSQnQIuWpNKQ5UHq0pdUPUZ4Any3/GbPuG
GhmwcH36MlIQXbVjqqx1gQCRpX0XMw0saXqvMCpZpFm2fyg4Q/6TKExzE4ehMfOC
N/eHGAERvsc1kByN+wVcvVqHaD36X2HpXNdhxlqoVUrcCsVCOkEyj6UYi5N1nAWV
mRaCOlCgd9i8i3CKFvKIMFZGJQOx3oVD8NTuucLwJRc7e7QNW+bvJ/JWv6U12+T1
gUOIn466qylvWvmF0V/C79L3oh7TppMYPb11IbOFzwicIJd69SotN37vQrW5xhtz
pBsiGqrNC+PeP4g9YIgAHiNDB/oTRCRbWbU6OJnc9MJO5GgieVnSsKMdAX28bKyw
RbSCrFMYVLCoZa8MF8MrO4n8HX9oCZFmre7Cp8HoWO0SGw92YIygSlMzzm1bniRf
BCzJNklNiqAKu+9HIUd6hMOSJlrkGxYTag5D6zRU/O8So23qi1Bn3gQykqj1JknD
b+k=
-----END CERTIFICATE-----
  "#;

  let reader = &mut BufReader::new(Cursor::new(cert));
  let certs = rustls_pemfile::certs(reader).unwrap();

  let cert = webpki::EndEntityCert::try_from(&*certs[0]).unwrap();

  let dns_name = DnsNameRef::try_from_ascii_str(
    "bedwars-app-do-user-4851149-0.b.db.ondigitalocean.com",
  )
  .unwrap();
  cert.verify_is_valid_for_dns_name(dns_name).unwrap();
}

Dump of the certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6f:e6:c7:73:90:91:ab:e1:cc:a2:a2:a0:2c:95:69:42:09:38:5d:c2
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: CN = 30a69e52-585f-42d9-9081-8847d7a4c369 Project CA
        Validity
            Not Before: Apr 15 22:08:51 2022 GMT
            Not After : Jul 13 22:08:51 2024 GMT
        Subject: ST = service, O = 30a69e52-585f-42d9-9081-8847d7a4c369, CN = bedwars-app-10
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (3072 bit)
                Modulus:
                    00:e5:64:a7:5b:02:54:ec:3e:16:5f:ba:ea:c0:dc:
                    31:d7:34:cc:65:83:8d:02:c3:b0:ea:0a:f8:b1:5b:
                    cd:60:01:17:cb:77:67:40:29:1d:0a:00:66:17:c1:
                    88:ac:b3:54:ff:01:7e:5a:1f:4b:50:bf:3d:15:8a:
                    4f:c4:e8:65:80:8c:fa:af:45:fe:9a:6d:e5:bc:1e:
                    8b:46:d1:b1:c1:1e:1f:8a:15:e0:14:bc:4e:63:06:
                    2e:de:09:1d:dc:ea:2a:f3:56:de:d6:4d:18:c1:8d:
                    97:f7:91:74:db:f2:1c:53:cf:55:f2:5d:2d:79:86:
                    b1:96:e2:46:e8:cf:89:31:13:67:29:af:db:75:f7:
                    e3:61:c8:16:1e:c9:4d:6f:10:6e:d6:8c:0d:46:3b:
                    25:d5:c8:f9:9d:df:8b:14:9f:4d:35:94:28:c6:ac:
                    cf:78:7d:ee:30:0b:e8:04:2a:32:52:d5:a8:4c:24:
                    f0:ae:df:4a:3d:88:fc:44:90:85:9c:9b:e3:d7:84:
                    33:fb:d2:85:cb:4a:c4:5e:0d:d9:a3:10:42:9d:20:
                    c2:7e:6d:48:7a:0b:4e:fc:09:4e:1a:d1:a1:09:ba:
                    eb:b1:ed:86:fe:68:8a:2f:b8:6a:66:2f:32:f5:54:
                    d1:22:50:f6:98:bd:e6:9c:6e:28:9d:f6:96:6d:8c:
                    63:94:8b:ea:32:d5:3e:e0:5b:41:60:2b:f4:71:5d:
                    c5:64:cb:3e:98:cf:bb:7d:94:f8:7b:9a:ec:05:b6:
                    45:42:24:30:f1:b6:67:5f:5e:b1:27:9d:fe:8f:6d:
                    46:e7:45:4a:7d:f3:18:68:9f:87:5f:c9:16:0c:3f:
                    bc:17:e2:e7:33:ec:67:6c:f0:51:4a:a0:ca:d1:7d:
                    27:67:6b:b7:bc:2a:fa:d0:5b:aa:79:19:46:73:b2:
                    c8:5a:7e:82:be:30:05:d4:9f:30:58:45:b5:40:d8:
                    1f:d9:f4:53:72:d8:48:1d:41:49:32:60:62:05:95:
                    f6:e9:7e:c3:3c:7c:12:25:c6:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AC:A2:1F:A5:65:F8:5C:2C:71:09:02:43:06:A5:1B:DE:C2:D3:20:F2
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:46.101.236.135, DNS:public-bedwars-app-do-user-4851149-0.b.db.ondigitalocean.com, DNS:private-replica-bedwars-app-do-user-4851149-0.b.db.ondigitalocean.com, DNS:10.114.0.2, DNS:private-bedwars-app-do-user-4851149-0.b.db.ondigitalocean.com, IP Address:10.114.0.2, DNS:replica-bedwars-app-do-user-4851149-0.b.db.ondigitalocean.com, DNS:*.b.db.ondigitalocean.com, DNS:n-bedwars-app-10.b.db.ondigitalocean.com, DNS:public-n-bedwars-app-10.b.db.ondigitalocean.com, DNS:bedwars-app-do-user-4851149-0.b.db.ondigitalocean.com, DNS:public-replica-bedwars-app-do-user-4851149-0.b.db.ondigitalocean.com, IP Address:46.101.236.135
    Signature Algorithm: sha384WithRSAEncryption
         18:07:d2:7a:d3:58:be:58:11:9a:be:98:38:2c:76:d4:8c:df:
         98:c8:83:d2:42:74:08:b9:6a:4d:29:0e:54:1e:ad:29:75:43:
         d4:67:80:27:cb:7f:c6:6c:fb:86:1a:19:b0:70:7d:fa:32:52:
         10:5d:b5:63:aa:ac:75:81:00:91:a5:7d:17:33:0d:2c:69:7a:
         af:30:2a:59:a4:59:b6:7f:28:38:43:fe:93:28:4c:73:13:87:
         a1:31:f3:82:37:f7:87:18:01:11:be:c7:35:90:1c:8d:fb:05:
         5c:bd:5a:87:68:3d:fa:5f:61:e9:5c:d7:61:c6:5a:a8:55:4a:
         dc:0a:c5:42:3a:41:32:8f:a5:18:8b:93:75:9c:05:95:99:16:
         82:3a:50:a0:77:d8:bc:8b:70:8a:16:f2:88:30:56:46:25:03:
         b1:de:85:43:f0:d4:ee:b9:c2:f0:25:17:3b:7b:b4:0d:5b:e6:
         ef:27:f2:56:bf:a5:35:db:e4:f5:81:43:88:9f:8e:ba:ab:29:
         6f:5a:f9:85:d1:5f:c2:ef:d2:f7:a2:1e:d3:a6:93:18:3d:bd:
         75:21:b3:85:cf:08:9c:20:97:7a:f5:2a:2d:37:7e:ef:42:b5:
         b9:c6:1b:73:a4:1b:22:1a:aa:cd:0b:e3:de:3f:88:3d:60:88:
         00:1e:23:43:07:fa:13:44:24:5b:59:b5:3a:38:99:dc:f4:c2:
         4e:e4:68:22:79:59:d2:b0:a3:1d:01:7d:bc:6c:ac:b0:45:b4:
         82:ac:53:18:54:b0:a8:65:af:0c:17:c3:2b:3b:89:fc:1d:7f:
         68:09:91:66:ad:ee:c2:a7:c1:e8:58:ed:12:1b:0f:76:60:8c:
         a0:4a:53:33:ce:6d:5b:9e:24:5f:04:2c:c9:36:49:4d:8a:a0:
         0a:bb:ef:47:21:47:7a:84:c3:92:26:5a:e4:1b:16:13:6a:0e:
         43:eb:34:54:fc:ef:12:a3:6d:ea:8b:50:67:de:04:32:92:a8:
         f5:26:49:c3:6f:e9

Rustls get's hung up on the DNS:46.101.236.135 SAN entry. is_valid_dns_id fails on this entry because label_is_all_numeric is true.

OpenSSL handles this certificate just fine.

All postgres databases provisioned by DigitalOcean have this SAN entry in their certs. Should I report this to them as an issue, or is this something that should be addressed in webpki?
@lucacasonato
Copy link
Author

I think this is a bug on DigitalOcean's side, so I have raised a support ticket there too. I think there is probably nothing actionable for webpki to do here.

It'd be really nice if the webpki error messages could tell me the root cause for things like this, so I don't have to add println statements in the webpki source to figure out where things are going wrong.

@mvforell
Copy link

mvforell commented May 8, 2022

This should be fixed as soon as #54 is fixed.

@lucacasonato
Copy link
Author

@mvforell I don't think so. The issue here is that there is an IP address in a SAN DNS record, not an IP address record.

@ereslibre
Copy link

ereslibre commented May 17, 2022
edited

@lucacasonato It has the IP address as a SAN at the end too, so with #260 it should work.

@lucacasonato
Copy link
Author

lucacasonato commented May 17, 2022
edited

Yes, but it errors as soon as it reaches the invalid DNS SAN record. So even with #54 it will still crash

@ereslibre
Copy link

Yes, but it errors as soon as it reaches the invalid DNS SAN record. So even with #54 it will still crash

Yes, sorry for the noise, that's right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ereslibre @lucacasonato @mvforell