Opened 3 years ago
Last modified 3 years ago
#2148 accepted enhancement
proxy_ssl_verify does not support iPAddress subjectAlternativeName
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.16.x |
| Keywords: | Cc: | gavriluk@… | |
| uname -a: | Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/opt/nginx --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=../pcre-8.44 --with-compat --with-perl_modules_path=/usr/lib64/perl5 --with-perl=/usr/bin/perl |
||
Description (last modified by )
Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddress
location config:
proxy_pass https://10.10.10.10:8443;
proxy_ssl_certificate /nginx/certs/chain.pem;
proxy_ssl_certificate_key /nginx/certs/client.key;
proxy_ssl_trusted_certificate /nginx/certs/proxied_server.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
When specifies
proxy_pass https://10.10.10.10:8443;
there is an error in error.log and 502 Bad gateway in curl
2021/03/09 23:22:34 [error] 18566#0: *1 upstream SSL certificate does not match "10.10.10.10" while SSL handshaking to upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://10.10.10.10:8443/", host: "localhost"
but when specifies
proxy_pass https://somehost:8443;
then it works
certificate:
$> openssl x509 -text -in /nginx/certs/proxied_server.pem
...
X509v3 Subject Alternative Name:
DNS:somehost, IP Address:10.10.10.10
...
Change History (3)
comment:1 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 3 years ago
| Status: | new → accepted |
|---|---|
| Summary: | Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddress → proxy_ssl_verify does not support iPAddress subjectAlternativeName |
| Type: | defect → enhancement |
As of now,
proxy_ssl_verifydoes not try to check IP addresses, but only supports DNS names. Given that use of IP addresses in certificates becomes more common, it probably make sense to add support for iPAddress subjectAlternativeName in addition to dNSName.For the reference, RFC 2818 says:
In RFC 6125, identifiers other than fully qualified DNS domain names are explicitly listed as out of scope.
There seems to be some recent development towards proper validation of IP addresses by public authorities. In particular, recently published RFC 8738 defines a way to automatically validate IP addresses in ACME, and it seems that Let’s Encrypt might have some plans to implement this.
Known public services with iPAddress subject altnames include 1.1.1.1 and 8.8.8.8:
X509v3 Subject Alternative Name: DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400X509v3 Subject Alternative Name: DNS:dns.google, DNS:*.dns.google.com, DNS:8888.google, DNS:dns.google.com, DNS:dns64.dns.google, IP Address:2001:4860:4860:0:0:0:0:64, IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:8844, IP Address:2001:4860:4860:0:0:0:0:8888, IP Address:8.8.4.4, IP Address:8.8.8.8A previous attempt to implement this can be seen here (certainly needs more work).