You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
on client side configure syslog-ng using TLS and IPv6 destination.
on server side configure a syslog-ng using TLS and IPv6 source.
the servers' certificate contains the ipv6 address in the "X509v3 Subject Alternative Name"
like:
X509v3 Subject Alternative Name:
IP Address:9994:0:0:0:0:0:0:2, IP Address:10.138.44.71
Preanalysis
During the mutual cert validation, the client reads the alternates of the server's certificate.
In the function tls_verify_certificate_name the type of the alternate name will be GEN_IPADD.
In that case the address is handled as an IPv4 address, seemingly the code doesn't care about IPv6 addresses.
I think the problematic code is in lib/tlscontext.c:
else if (gen_name->type == GEN_IPADD)
{
char *dotted_ip = inet_ntoa(*(struct in_addr *) gen_name->d.iPAddress->data);
g_strlcpy(pattern_buf, dotted_ip, sizeof(pattern_buf));
found = TRUE;
result = strcasecmp(host_name, pattern_buf) == 0;
}
The text was updated successfully, but these errors were encountered:
syslog-ng
Version of syslog-ng
3.20.1
Platform
Linux
Steps to reproduce
on client side configure syslog-ng using TLS and IPv6 destination.
on server side configure a syslog-ng using TLS and IPv6 source.
the servers' certificate contains the ipv6 address in the "X509v3 Subject Alternative Name"
like:
X509v3 Subject Alternative Name:
IP Address:9994:0:0:0:0:0:0:2, IP Address:10.138.44.71
Preanalysis
During the mutual cert validation, the client reads the alternates of the server's certificate.
In the function
tls_verify_certificate_name
the type of the alternate name will be GEN_IPADD.In that case the address is handled as an IPv4 address, seemingly the code doesn't care about IPv6 addresses.
I think the problematic code is in lib/tlscontext.c:
The text was updated successfully, but these errors were encountered: