On Tue, Sep 17, 2013 at 7:02 PM, Matt Carey <cvstealth2000@xxxxxxxxx> wrote: > I'm having an issue doing sslbumping with what seems to be isolated to CNAMEs where the certificate that is getting sent by squid (currently 3.3.9) back to the client has the CN field set to an IP address rather then a legit subject in the x509 certificate. An example of this behavior as seen by the client is: > A well written client will refuse the connection. > # openssl s_client -connect autodiscover.domain.com:443 > CONNECTED(00000003) > depth=1 C = US, ST = Virginia, L = Alexandria, O = North American Domain, OU = IT Group, CN = fwa.domain.com, emailAddress = it@xxxxxxxxxx > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/CN=157.56.236.89 <-- This is causing the client browser/application to break because the subject doesn't match the site > i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it@xxxxxxxxxx > 1 s:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it@xxxxxxxxxx > i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it@xxxxxxxxxx > <snip> Yeah, IPs be worrisome, especially if they are RFC 1918. Littleblackbox (http://code.google.com/p/littleblackbox/) FTW! > I haven't put my finger on exactly what level of nesting or what is special about the CNAME attribute that for some sites is causing the dynamic certificate the is being sent to have the CN set to just the IP address. Any help in this matter would be greatly appreciated. > If your clients are RFC 5280 compliant (such as a web browser), then here are the guides: Baseline: https://www.cabforum.org/Baseline_Requirements_V1_1_6.pdf Extended Validation: https://www.cabforum.org/Guidelines_v1_4_3.pdf Extended validation adds no additional technical controls. It simply restores CA profit levels back to the 1990s. Don't drink the kool-aide. "Subject Common Name Field " is covered in the baseline guide. "Authorization for an IP Address" is covered in the baseline guide. Prohibition of RFC 1918 addresses is covered in the extended validation guide. Section 9.2.2 of the baseline guide also states: "if present, this field [CN] MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension". The SAN is covered in section 9.2.1. So the question becomes, is the IP address also listed in the SAN? Jeff
