[MacPorts] #65297: Alpine fails to validate certs with no extensions
MacPorts
noreply at macports.org
Sat Jun 4 23:01:32 UTC 2022
#65297: Alpine fails to validate certs with no extensions
-----------------------------+--------------------
Reporter: steven-michaud | Owner: (none)
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: alpine |
-----------------------------+--------------------
Comment (by steven-michaud):
Here's pseudo-code to show how `ssl_validate_cert()` currently works (on
Openssl 1.1.0 or greater):
for (each field in `cert`'s "subject name") {
var ret = NIL
if (field matches `host`) {
return NIL (success)
} else {
ret = error
for (each of `cert`'s `subject_alt_name` extensions) {
if (`subject_alt_name` matches `host`) {
ret = NIL
break
}
}
if (ret != NIL) {
return error
}
}
}
This is badly messed up. If `cert` doesn't have any `subject_alt_name`
extensions, `ssl_validate_cert()` fails at the first "subject name" field
that doesn't match `host`. Even if it does have these extensions, and one
matches, `ssl_validate_cert()` unnecessarily continues iterating through
the "subject name" fields.
I'll attach a logging patch that shows this in action.
--
Ticket URL: <https://trac.macports.org/ticket/65297#comment:1>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list