Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add IP Address SAN to Certificates Information #544

Closed
babelr opened this issue Dec 7, 2021 · 2 comments
Closed

Add IP Address SAN to Certificates Information #544

babelr opened this issue Dec 7, 2021 · 2 comments

Comments

@babelr
Copy link

babelr commented Dec 7, 2021

Is your feature request related to a problem? Please describe.
We're using a PKI Solution in our company and I'm testing installed certificates with sslyze to verify it's proper installation on servers. We are using not only DNS Subject Alternative Names, but also IP Address Subject Alternative Names.
Unfortunately when testing the server either with --certinfo or --regular I only get to see the DNS Subject Alternative Names.
Furthermore, when I test against the IP Address of the Server, the Hostname Validation fails, which shouldn't be the case.

Describe the solution you'd like
I would like to see the "IP Address SAN" Information of the tested certificate, and a successful hostname validation when targeting the server by its IP Address.
Eg.:
sslyze --regular --certinfo_ca_file my-root.pem server.domain:443

 * Certificates Information:
   Hostname sent for SNI:             server.domain
   Number of certificates detected:   1


 Certificate #0 ( _RSAPublicKey )
   SHA1 Fingerprint:                  50766e1c18436323bd57d9f854e498f3671bdccc
   Common Name:                       server.domain
   Issuer:                            My Issuing CA
   Serial Number:                     2185473029123456789074175114908454567893256470
   Not Before:                        2021-11-04
   Not After:                         2023-11-04
   Public Key Algorithm:              _RSAPublicKey
   Signature Algorithm:               sha256
   Key Size:                          2048
   Exponent:                          65537
   DNS Subject Alternative Names:     ['server', 'server.domain']
   IP Subject Alternative Names:      ['192.168.1.10']     <- This is what I would like to see

Also in the testresults, when I run this command:
sslyze --regular --certinfo_ca_file my-root.pem 192.168.1.10:443

  Certificate #0 - Trust
    Hostname Validation:               FAILED - Certificate does NOT match server hostname    <- This shouldn't fail

Describe alternatives you've considered
My alternative is to open up a webbrowser and manually inspect the certificate

Thanks and cheers
Rene
@gattjoe gattjoe mentioned this issue Feb 8, 2022
Closed
@gattjoe
Copy link

gattjoe commented Feb 8, 2022

I submitted a PR here to add this functionality

nabla-c0d3 added a commit that referenced this issue Nov 6, 2022
@nabla-c0d3
[#544] Add IP Address SAN to Certificates Information
4d0cb0a
nabla-c0d3 added a commit that referenced this issue Nov 6, 2022
@nabla-c0d3
[#544] Add IP Address SAN to Certificates Information
463c084
@nabla-c0d3
Copy link
Owner

Released as part of v5.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
SSLyze 5.1.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nabla-c0d3 @gattjoe @babelr