This repository was archived by the owner on Nov 24, 2025. It is now read-only.
Fix subject name validation in TR certificate loading#4998
Merged
mattjackson220 merged 4 commits intoapache:masterfrom Oct 14, 2020
Merged
Fix subject name validation in TR certificate loading#4998mattjackson220 merged 4 commits intoapache:masterfrom
mattjackson220 merged 4 commits intoapache:masterfrom
Conversation
When validating the certificate subject name against the sslkeys
hostname, TR did not properly parse Subject Alternate Names. Specifically
TR assumes all subject names were contained on the Common Name (CN) line
and attempted to strip off the remainder of subject before removing the wildcard.
On subject alternate names, there is no CN= delimiter and the wildcard
removal was failing.
Solution: Check for presence of CN and other delimiters before attemping
to remove them.
limited
added
bug
| } | ||
|
|
||
| subjectName = subjectName.replaceFirst("\\*\\.", "."); | ||
| if (subjectName.length() > 0 && (hostAlias.contains(subjectName) || subject.contains(subjectName))) { |
Contributor
There was a problem hiding this comment.
should this maybe be if (subjectName.length() > 0 && (hostAlias.contains(subjectName) || subjectName.contains(hostAlias))) {? i think subject.contains(subjectName) will always be true
Contributor
Author
There was a problem hiding this comment.
good catch. I'll fix this and likely add a test to verify
Contributor
|
@limited FYI this PR has merge conflicts. |
Contributor
Author
Member
|
@limited - sorry, conflict again. :( |
Contributor
Author
|
fixed
…On Wed, Oct 14, 2020 at 1:01 PM Jeremy Mitchell ***@***.***> wrote:
@limited <https://github.com/limited> - sorry, conflict again. :(
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4998 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGRNNCONHN3TZ25WWPUN7DSKXKNNANCNFSM4QOMS2PQ>
.
|
mattjackson220
approved these changes
Oct 14, 2020
Contributor
mattjackson220
left a comment
mattjackson220
left a comment
There was a problem hiding this comment.
Looks good! Tests pass and testing manually looks good!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR (Pull Request) do?
When validating the certificate subject name against the sslkeys hostname, TR did not properly parse Subject Alternate Names. Specifically TR assumes all subject names were contained on the Common Name (CN) line and attempted to strip off the remainder of subject before removing the wildcard.
On subject alternate names, there is no CN= delimiter and the wildcard removal was failing.
Which Traffic Control components are affected by this PR?
What is the best way to verify this PR?
The following criteria are ALL met by this PR