5

X509v3 can contain IP address field in subject Alternative Name extension.

  1. As an application verifying the server's identity, how should the IP address field be validated?
  2. If both DNS name and IP address are present? Is there a preference of one over the another?
  3. What is the use of dirName field?
JamesWebbTelescopeAlien
  • 3,547
  • 2
  • 30
  • 51

2 Answers2

6

I read RFC 2818 earlier but must have missed this part.

In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
JamesWebbTelescopeAlien
  • 3,547
  • 2
  • 30
  • 51
  • 1
    Note that not all implementations are strict about this. [Java](http://stackoverflow.com/a/8444863/372643) is quite strict, but a number of browsers are more tolerant (which some think it's a problem with Java). Generally, IP addresses in certificate are not recommended. (You may also be interested in the 2nd paragraph of [RFC 6125, section 7.1.2](http://tools.ietf.org/html/rfc6125#section-1.7.2) if you're reading about this generally. RFC 6125 is also a good spec to read if you're going beyond HTTPS.) – Bruno Feb 09 '12 at 12:36
  • You are right IP address is not recommended on the certificate. Just checked `chromium` browser's source code they do check the IP address. I will be tagging this question to chromium source as well to see if anybody else has any comments. Thanks for that RFC by the way. – JamesWebbTelescopeAlien Feb 09 '12 at 22:45
0

My answer is based on my experience with TLS/SSL.

  1. It's based upon the implementation of the certificate validation. To enforce IP address match, you have to implement that.
  2. Whatever way you want. You could also check both.
  3. Sorry no idea what this field does.

Have you checked the OpenSSL documentation?

rekire
  • 47,260
  • 30
  • 167
  • 264
  • Yes i have checked that documentation and more than that.I didnt find any convincing answers for any of the above. I am more inclined now towards looking at the source code of chromium browser to see how its handling this field, if nothing helps here. Question is not what i have to do, rather what SHOULD be done. – JamesWebbTelescopeAlien Feb 07 '12 at 23:21
  • I think the browsers will check this field if the domain doesn't match with the `CN`. – rekire Feb 07 '12 at 23:31
  • This does _not_ seem to be correct. This might create a security hole. If user supplied a hostname (DNS name) then we should match it with only DNS name field of subject Alternative name and not with the IP address field. And user supplied IP address with IP address field of subject alternative name only. – JamesWebbTelescopeAlien Feb 08 '12 at 01:28
  • I read RFC 2818 earlier but must have missed this part --> _In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI._ – JamesWebbTelescopeAlien Feb 08 '12 at 02:17
  • I wrote when the `CN` not match that the browser will look at the `subjectAltName`. This is the case if you enter an IP and not a domain. Maybe my english is not perfect enough. In my own language I may wrote a little more accurate. – rekire Feb 08 '12 at 21:59
  • If `subjectAltName` is present then it MUST be used over `CN` as per the RFC 2818. – JamesWebbTelescopeAlien Feb 08 '12 at 22:41
  • The documentation link is dead. This one works: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html – matusf Aug 16 '22 at 13:18