标签云

微信群

扫码加入我们

WeChat QR Code

X509v3 can contain IP address field in subject Alternative Name extension. As an application verifying the server's identity, how should the IP address field be validated? If both DNS name and IP address are present? Is there a preference of one over the another?What is the use of dirName field?


Note that not all implementations are strict about this. Java is quite strict, but a number of browsers are more tolerant (which some think it's a problem with Java). Generally, IP addresses in certificate are not recommended. (You may also be interested in the 2nd paragraph of RFC 6125, section 7.1.2 if you're reading about this generally. RFC 6125 is also a good spec to read if you're going beyond HTTPS.)

2019年04月19日15分32秒

You are right IP address is not recommended on the certificate. Just checked chromium browser's source code they do check the IP address. I will be tagging this question to chromium source as well to see if anybody else has any comments. Thanks for that RFC by the way.

2019年04月19日15分32秒

Yes i have checked that documentation and more than that.I didnt find any convincing answers for any of the above. I am more inclined now towards looking at the source code of chromium browser to see how its handling this field, if nothing helps here.Question is not what i have to do, rather what SHOULD be done.

2019年04月19日15分32秒

I think the browsers will check this field if the domain doesn't match with the CN.

2019年04月19日15分32秒

This does not seem to be correct. This might create a security hole. If user supplied a hostname (DNS name) then we should match it with only DNS name field of subject Alternative name and not with the IP address field. And user supplied IP address with IP address field of subject alternative name only.

2019年04月20日15分32秒

I read RFC 2818 earlier but must have missed this part --> In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

2019年04月19日15分32秒

sorry i didnt see where you pointed to it

2019年04月20日15分32秒