Open Bug 895063 Opened 11 years ago Updated 6 months ago

NSS does not constrain IPs in Common Names according to nameConstraints when no SAN present

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Milestone:
3.15.4

People

(Reporter: ryan.sleevi, Unassigned)

References

Details

This is a variation of Bug 394919, and only exists because Bug 552346 has not yet been implemented.

In CERT_VerifyCertName, when no subjectAltName is present, if the hostname-to-be-validated is an IP address, a strict string comparison is made of the common name (see http://mxr.mozilla.org/nss/source/lib/certdb/certdb.c#1787 )

As a result of Bug 394919, the Common Name is checked that it is valid according to the permittedSubtrees for dNSNames. However, if the CN is to be treated as an iPAddress (in CERT_VerifyCertName), no checking of the permittedSubtrees for iPAddress is done.

This is because CERT_GetConstrainedCertificateNames always treats the CN as a dNSName, even when the hostname-to-be-verified contains an IP/will be treated as an IP (see http://mxr.mozilla.org/nss/source/lib/certdb/genname.c#1106 )
changing target milestone to 3.15.4
Target Milestone: 3.15.3 → 3.15.4
Severity: normal → S3
Severity: S3 → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.