ssl: Extend hostname check to fallback to checking IP-address

If no SNI is available and the hostname is an IP-address also check for IP-address match. This check is not as good as a DNS hostname check and certificates using IP-address are not recommended.
author: Ingela Anderton Andin <[email protected]> 2017-10-06 17:24:16 +0200
committer: Ingela Anderton Andin <[email protected]> 2017-10-13 11:35:39 +0200
commit: 0bb96516ce308b6fb837696338b492d3c9a9f429 (patch)
tree: 4daf04a9d86159bf803db457eda16c4199992afa /lib/ssl/test/ssl_sni_SUITE.erl
parent: 4f4bf872831b12cac8913e8a62e35725d0173b0d (diff)
download: otp-0bb96516ce308b6fb837696338b492d3c9a9f429.tar.gz
otp-0bb96516ce308b6fb837696338b492d3c9a9f429.tar.bz2
otp-0bb96516ce308b6fb837696338b492d3c9a9f429.zip
1 files changed, 99 insertions, 1 deletions
diff --git a/lib/ssl/test/ssl_sni_SUITE.erl b/lib/ssl/test/ssl_sni_SUITE.erl
index 03676cb828..e080de95f6 100644
--- a/lib/ssl/test/ssl_sni_SUITE.erl
+++ b/lib/ssl/test/ssl_sni_SUITE.erl
@@ -25,6 +25,8 @@
 
 -include_lib("common_test/include/ct.hrl").
 -include_lib("public_key/include/public_key.hrl").
+-include_lib("kernel/include/inet.hrl").
+
 
 %%--------------------------------------------------------------------
 %% Common Test interface functions -----------------------------------
@@ -55,7 +57,10 @@ sni_tests() ->
      sni_no_match,
      no_sni_header_fun, 
      sni_match_fun, 
-     sni_no_match_fun].
+     sni_no_match_fun,
+     dns_name,
+     ip_fallback,
+     no_ip_fallback].
 
 init_per_suite(Config0) ->
     catch crypto:stop(),
@@ -112,6 +117,65 @@ sni_no_match(Config) ->
 sni_no_match_fun(Config) ->
     run_sni_fun_handshake(Config, "c.server", undefined, "server Peer cert").
 
+dns_name(Config) ->
+    Hostname = "OTP.test.server",
+    #{server_config := ServerConf,
+      client_config := ClientConf} = public_key:pkix_test_data(#{server_chain => 
+                                                                     #{root => [],
+                                                                       intermediates => [[]],
+                                                                       peer => [{extensions,  [#'Extension'{extnID = 
+                                                                                                                ?'id-ce-subjectAltName',
+                                                                                                            extnValue = [{dNSName, Hostname}],
+                                                                                                            critical = false}]}]},
+                                                                 client_chain => 
+                                                                     #{root => [],
+                                                                       intermediates => [[]],
+                                                                       peer => []}}),
+    unsuccessfull_connect(ServerConf, [{verify, verify_peer} | ClientConf], undefined, Config),
+    successfull_connect(ServerConf, [{verify, verify_peer}, {server_name_indication, Hostname} | ClientConf], undefined, Config),
+    unsuccessfull_connect(ServerConf, [{verify, verify_peer}, {server_name_indication, "foo"} | ClientConf], undefined, Config),
+    successfull_connect(ServerConf, [{verify, verify_peer}, {server_name_indication, disable} | ClientConf], undefined, Config).
+ 
+ip_fallback(Config) ->
+    Hostname = net_adm:localhost(),
+    {ok, #hostent{h_addr_list = [IP |_]}} = inet:gethostbyname(net_adm:localhost()),
+    IPStr = tuple_to_list(IP),
+    #{server_config := ServerConf,
+      client_config := ClientConf} = public_key:pkix_test_data(#{server_chain => 
+                                                                     #{root => [],
+                                                                       intermediates => [[]],
+                                                                       peer => [{extensions, [#'Extension'{extnID = 
+                                                                                                               ?'id-ce-subjectAltName',
+                                                                                                           extnValue = [{dNSName, Hostname},
+                                                                                                                        {iPAddress, IPStr}],
+                                                                                                           critical = false}]}
+                                                                               ]},
+                                                                 client_chain => 
+                                                                     #{root => [],
+                                                                       intermediates => [[]],
+                                                                       peer => []}}),
+    successfull_connect(ServerConf, [{verify, verify_peer} | ClientConf], Hostname, Config),
+    successfull_connect(ServerConf, [{verify, verify_peer} | ClientConf], IP, Config).
+ 
+no_ip_fallback(Config) ->
+    Hostname = net_adm:localhost(),
+    {ok, #hostent{h_addr_list = [IP |_]}} = inet:gethostbyname(net_adm:localhost()),
+    #{server_config := ServerConf,
+      client_config := ClientConf} = public_key:pkix_test_data(#{server_chain => 
+                                                                     #{root => [],
+                                                                       intermediates => [[]],
+                                                                       peer => [{extensions, [#'Extension'{extnID = 
+                                                                                                               ?'id-ce-subjectAltName',
+                                                                                                           extnValue = [{dNSName, Hostname}],
+                                                                                                           critical = false}]}
+                                                                               ]},
+                                                                 client_chain => 
+                                                                     #{root => [],
+                                                                       intermediates => [[]],
+                                                                       peer => []}}),
+    successfull_connect(ServerConf, [{verify, verify_peer} | ClientConf], Hostname, Config),
+    unsuccessfull_connect(ServerConf, [{verify, verify_peer} | ClientConf], IP, Config).
+ 
 
 %%--------------------------------------------------------------------
 %% Internal Functions ------------------------------------------------
@@ -217,3 +281,37 @@ run_handshake(Config, SNIHostname, ExpectedSNIHostname, ExpectedCN) ->
     ssl_test_lib:check_result(Server, ExpectedSNIHostname, Client, ExpectedCN),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
+
+successfull_connect(ServerOptions, ClientOptions, Hostname0, Config) ->  
+    {ClientNode, ServerNode, Hostname1} = ssl_test_lib:run_where(Config),
+    Hostname = host_name(Hostname0, Hostname1),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                                        {from, self()}, {mfa, {ssl_test_lib, send_recv_result_active, []}},
+                                        {options, ServerOptions}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+                                        {host, Hostname}, {from, self()},
+                                        {mfa, {ssl_test_lib, send_recv_result_active, []}},
+                                        {options, ClientOptions}]),
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+unsuccessfull_connect(ServerOptions, ClientOptions, Hostname0, Config) ->
+    {ClientNode, ServerNode, Hostname1} = ssl_test_lib:run_where(Config),
+    Hostname = host_name(Hostname0, Hostname1),
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					      {from, self()},
+					      {options, ServerOptions}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					      {host, Hostname},
+					      {from, self()}, 
+					      {options, ClientOptions}]),
+    
+    ssl_test_lib:check_result(Server, {error, {tls_alert, "handshake failure"}},
+			      Client, {error, {tls_alert, "handshake failure"}}).
+host_name(undefined, Hostname) ->
+    Hostname;
+host_name(Hostname, _) ->
+    Hostname.
author	Ingela Anderton Andin <[email protected]>	2017-10-06 17:24:16 +0200
committer	Ingela Anderton Andin <[email protected]>	2017-10-13 11:35:39 +0200
commit	0bb96516ce308b6fb837696338b492d3c9a9f429 (patch)
tree	4daf04a9d86159bf803db457eda16c4199992afa /lib/ssl/test/ssl_sni_SUITE.erl
parent	4f4bf872831b12cac8913e8a62e35725d0173b0d (diff)
download	otp-0bb96516ce308b6fb837696338b492d3c9a9f429.tar.gz otp-0bb96516ce308b6fb837696338b492d3c9a9f429.tar.bz2 otp-0bb96516ce308b6fb837696338b492d3c9a9f429.zip