/
Bugzilla – Bug 3275
Improper SSL/TLS certificate subjectAltName verification
Last modified: 2009-10-24 14:43:47 UTC
A recent bug was found in fetchmail, which pointed out that when validing SSL client certificates, fetchmail was not properly checking for embedded NUL characters: http://www.fetchmail.info/fetchmail-SA-2009-01.txt This is a bug for the mod_tls module as well, for the mod_tls module does a similar verification of SSL client certs. Specifically, for this embedded-NUL issue to affect a server, the following mod_tls configuration must be in effect: # Reverse DNS resolution MUST be on for this bug to manifest UseReverseDNS on <IfModule mod_tls.c> TLSEngine on # We have to be verifying clients' certs for this bug to manifest TLSVerifyClient on # and we have to be requiring that the subjectAltName field of the # client's certificate be a DNS name which matches the DNS name to which # the client's IP address was resolved TLSOptions dNSNameRequired </IfModule> If reverse DNS resolution is off, OR if client certs are not being verified, OR if the DNS name in the client cert is not required, then the bug does not occur.
Created attachment 3096 [details] Fixes bug
Patch committed to CVS.
Backported to 1.3.2b; the attached patch applied cleanly to the 1.3.2a version of mod_tls.
See also: http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf
Resolved in 1.3.2b, 1.3.3rc2.
CVE-2009-3639 assigned for this.