Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LittleProxy fails if Subject Alternative Name for valid RFC822 Name #33

Open
krishnasathyanarayana opened this issue Jan 19, 2019 · 1 comment

Comments

@krishnasathyanarayana
Copy link

The Subject Alternative Name can be following according to the RFC.

RFC822 Name= email id
DNS Name=DNS name

When you have email ID in the certificate, MTIM proxy fails to create the tunnel due to exception raised in
SubjectAlternativeNameHolder.parseGeneralName(List<?> nameEntry) method. From my analysis, we should call this method to check only for a valid DNS name. The validation we should do should limit to RFC compliant values and we should ignore the email IDs and consider only DNS names.

The easy fix is to remove exception and in SubjectAlternativeNameHolder.add(Collection<List<?>> subjectAlternativeNames) check for valid DNS name before calling the parseGeneralName() method. Looking at the code it should be sufficient without any other changes. Please review.

Refer to http://www.pkiglobe.org/subject_alt_name.html for additional information.

This problem was encountered in a couple of our servers that has RFC822 Name in SAN.

@ganskef
Copy link
Owner

ganskef commented Sep 21, 2019

This is a Bug. A valid SAN has a GeneralName which contains more than DNS name and IP address. The valid range is 0..8. I'll fix this.
And I'm wondering if an exception is the right choice at this point. Simply ignore an invalid value could be better here.

ganskef added a commit that referenced this issue Sep 21, 2019
 - GeneralName tag range is 0..8 instead of 2,7 only
 - Ignore/log invalid name entries instead of throw an exception
koh-osug pushed a commit to koh-osug/LittleProxy-mitm that referenced this issue Mar 27, 2021
…C822 Name

 - GeneralName tag range is 0..8 instead of 2,7 only
 - Ignore/log invalid name entries instead of throw an exception
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants