Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • BridgeDB BridgeDB
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 24
    • Issues 24
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 1
    • Merge requests 1
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Anti-censorship
  • BridgeDBBridgeDB
  • Issues
  • #27984
Closed
Open
Created Oct 09, 2018 by Trac@tracbot

bridgedb verifyHostname doesn't check subjectAltName extension

Currently, bridgedb/crypto.py function verifyHostname uses the certificate's commonName exclusively to perform a hostname match.

RFC 5280 demands that the presence of the subjectAltName (SAN) extension is checked, and if present, must be used to perform the hostname check.

verifyHostname should be changed to use subjectAltName. Only fall back to check common name if SAN is missing.

If an existing, more complete implementation of hostname verification can be found, it might be preferable to use it.

Trac:
Username: kaie

Assignee
Assign to
Time tracking