Open
Bug 895063
Opened 11 years ago
Updated 6 months ago
NSS does not constrain IPs in Common Names according to nameConstraints when no SAN present
Categories
(NSS :: Libraries, defect, P5)
NSS
Libraries
Tracking
(Not tracked)
NEW
3.15.4
People
(Reporter: ryan.sleevi, Unassigned)
References
Details
This is a variation of Bug 394919, and only exists because Bug 552346 has not yet been implemented. In CERT_VerifyCertName, when no subjectAltName is present, if the hostname-to-be-validated is an IP address, a strict string comparison is made of the common name (see http://mxr.mozilla.org/nss/source/lib/certdb/certdb.c#1787 ) As a result of Bug 394919, the Common Name is checked that it is valid according to the permittedSubtrees for dNSNames. However, if the CN is to be treated as an iPAddress (in CERT_VerifyCertName), no checking of the permittedSubtrees for iPAddress is done. This is because CERT_GetConstrainedCertificateNames always treats the CN as a dNSName, even when the hostname-to-be-verified contains an IP/will be treated as an IP (see http://mxr.mozilla.org/nss/source/lib/certdb/genname.c#1106 )
Updated•2 years ago
|
Severity: normal → S3
Updated•6 months ago
|
Severity: S3 → S4
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•