Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-2846

PromptingTrustManager does not handle wildcard certificates correctly

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.6.4, 3.0.0
    • Fix Version/s: 3.5.0, 4.0.0
    • Component/s: tools
    • Labels:

      Description

      To reproduce, set up an LDAPS connector using a CA signed wildcard certificate, e.g:

          Subject DN:  CN=*.example.com, OU=Services, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
          Issuer DN:  CN=Some CA
          Validity:  Wed Oct 21 13:27:35 BST 2015 through Tue Jan 19 12:27:35 GMT 2016
      

      Ensure that CN=Some CA is added to a local truststore that will be used for a client. In this example case, '~/ldap/remote_trust.jks'. The actual server cert must not be in this trust store.

      Run an ldapsearch (using the toolkit ldapsearch, which uses opendj-core PromptingTrustManager)

      Ians-MacBook-Pro:bin ian$ ./ldapsearch -h opendj.example.com -p 1636 --useSSL -D "cn=Directory Manager" -b  "dc=example,dc=com" --trustStorePath ~/ldap/remote_trust.jks --trustStorePassword password -w password "uid=user.1" 
      Oct 21, 2015 1:45:59 PM org.forgerock.opendj.ldap.TrustManagers$CheckHostName verifyHostName
      WARNING: Error parsing subject dn: CN=*.example.com, OU=Services, O=ForgeRock, L=Bristol, ST=Bristol, C=UK
      java.security.cert.CertificateException: The host name contained in the certificate chain subject DN 'CN=*.example.com, OU=Services, O=ForgeRock, L=Bristol, ST=Bristol, C=UK' does not match the host name 'opendj.example.com'
      	at org.forgerock.opendj.ldap.TrustManagers$CheckHostName.verifyHostName(TrustManagers.java:125)
      	at org.forgerock.opendj.ldap.TrustManagers$CheckHostName.checkServerTrusted(TrustManagers.java:81)
      	at org.forgerock.opendj.ldap.TrustManagers$CheckValidityDates.checkServerTrusted(TrustManagers.java:160)
      	at com.forgerock.opendj.cli.PromptingTrustManager.checkServerTrusted(PromptingTrustManager.java:248)
      	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:899)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1433)
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
      

      This fails because the hostname 'opendj.example.com' is used as the pattern and the wildcard CN (*.example.com) is used as the hostname.

      if (!hostNameMatchesPattern(value, hostNamePattern)) {
      

      They should be the other way around.

      Additionally, this verifyHostName method does not look at the Subject Alternative DNS in the certificate, which will cause other hostname verification incompatibilities.

        Attachments

        1. ca_truststore.jks
          1 kB
        2. ca_truststore.pin
          0.0 kB
        3. djwildcard.pfx
          3 kB

          Issue Links

            Activity

              People

              Assignee:
              ian.packer Ian Packer [X] (Inactive)
              Reporter:
              ian.packer Ian Packer [X] (Inactive)
              Dev Assignee:
              Ian Packer [X] Ian Packer [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: