Opened 7 months ago

Last modified 6 months ago

#2148 accepted enhancement

proxy_ssl_verify does not support iPAddress subjectAlternativeName

Reported by: gavriluk@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.16.x
Keywords: Cc: gavriluk@…
uname -a: Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.1

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/opt/nginx --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=../pcre-8.44 --with-compat --with-perl_modules_path=/usr/lib64/perl5 --with-perl=/usr/bin/perl

Description (last modified by gavriluk@…)

Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddress

location config:
proxy_pass https://10.10.10.10:8443;
proxy_ssl_certificate /nginx/certs/chain.pem;
proxy_ssl_certificate_key /nginx/certs/client.key;
proxy_ssl_trusted_certificate /nginx/certs/proxied_server.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;

When specifies
proxy_pass https://10.10.10.10:8443;
there is an error in error.log and 502 Bad gateway in curl

2021/03/09 23:22:34 [error] 18566#0: *1 upstream SSL certificate does not match "10.10.10.10" while SSL handshaking to upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://10.10.10.10:8443/", host: "localhost"

but when specifies
proxy_pass https://somehost:8443;
then it works

certificate:
$> openssl x509 -text -in /nginx/certs/proxied_server.pem
...
X509v3 Subject Alternative Name:

DNS:somehost, IP Address:10.10.10.10

...

Change History (3)

comment:1 by gavriluk@…, 7 months ago

Description: modified (diff)

comment:2 by Maxim Dounin, 7 months ago

Status: newaccepted
Summary: Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddressproxy_ssl_verify does not support iPAddress subjectAlternativeName
Type: defectenhancement

As of now, proxy_ssl_verify does not try to check IP addresses, but only supports DNS names. Given that use of IP addresses in certificates becomes more common, it probably make sense to add support for iPAddress subjectAlternativeName in addition to dNSName.

For the reference, RFC 2818 says:

In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.

In RFC 6125, identifiers other than fully qualified DNS domain names are explicitly listed as out of scope.

There seems to be some recent development towards proper validation of IP addresses by public authorities. In particular, recently published RFC 8738 defines a way to automatically validate IP addresses in ACME, and it seems that Let’s Encrypt might have some plans to implement this.

Known public services with iPAddress subject altnames include 1.1.1.1 and 8.8.8.8:

            X509v3 Subject Alternative Name: 
                DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400
            X509v3 Subject Alternative Name: 
                DNS:dns.google, DNS:*.dns.google.com, DNS:8888.google, DNS:dns.google.com, DNS:dns64.dns.google, IP Address:2001:4860:4860:0:0:0:0:64, IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:8844, IP Address:2001:4860:4860:0:0:0:0:8888, IP Address:8.8.4.4, IP Address:8.8.8.8

A previous attempt to implement this can be seen here (certainly needs more work).

Note: See TracTickets for help on using tickets.