Bundled stunnel doesn't support hostname verification. #7
Comments
|
Yes, right now we intentionally don't due hostname verification due to the complexity of certificate management under that scheme as we give each customer their own DNS records. We've yet to see a convincing argument about that impacting security (since we've pinned our certificate) for our use case but are always open to discuss it further as we care about these issues. |
But this should still work so long as the cert served is a wildcard cert? eg with a common name of Though I agree since the CA cert is pinned, |
|
@edmorley that's true, although multi-level wildcard certificates aren't well defined, as far as I knew, so seems a bit risky to use them (I haven't actually checked what stunnel does with them). We would need it since the form of server names are: |
|
Oh yes sorry you're absolutely right. The only way around that is if the list of {region, provider} were under 100 combinations, the single cert could have the other domains under the Subject Alternative Name field, eg: Though checking one of my Heroku apps now I see it has yet another nested level, something like: ...which wouldn't work. |
|
ah yeah: |
The
checkHostoption was added in 5.15 released on 2015.04.16. It requires OpenSSL 1.0.2+ (latest release on 3 May 2016), heroku currently only shipsOpenSSL 1.0.1f 6 Jan 2014so memcachier-tls-buildpack will have to bundle (or statically link) an openssl in addition to the current stunnel. (Or get heroku to update it, which seems… improbable.)It is worth mentioning that currently the memcachier issued certs don't have hostnames that would validate with
checkHostturned on. But if/once that changes this should ticket be soon to follow.The text was updated successfully, but these errors were encountered: