Certificate subject doesn't match with ipv6 address

[juhaszviktor]

syslog-ng

Version of syslog-ng

3.20.1

Platform

Linux

Steps to reproduce

on client side configure syslog-ng using TLS and IPv6 destination.
on server side configure a syslog-ng using TLS and IPv6 source.

the servers' certificate contains the ipv6 address in the "X509v3 Subject Alternative Name"
like:
X509v3 Subject Alternative Name:
IP Address:9994:0:0:0:0:0:0:2, IP Address:10.138.44.71

Preanalysis

During the mutual cert validation, the client reads the alternates of the server's certificate.
In the function tls_verify_certificate_name the type of the alternate name will be GEN_IPADD.
In that case the address is handled as an IPv4 address, seemingly the code doesn't care about IPv6 addresses.

I think the problematic code is in lib/tlscontext.c:

else if (gen_name->type == GEN_IPADD)
                {
                  char *dotted_ip = inet_ntoa(*(struct in_addr *) gen_name->d.iPAddress->data);

                  g_strlcpy(pattern_buf, dotted_ip, sizeof(pattern_buf));
                  found = TRUE;
                  result = strcasecmp(host_name, pattern_buf) == 0;
                }

[lbudai]

Hi @juhaszviktor !

could you check PR #3466 ?

[juhaszviktor]

Hi @lbudai,

It works fine!
Thanks for the quick response :)