Crypto backend breaks on IP entry in SAN #28

Open
opened 2020-10-31 03:59:56 +00:00 by khuxkm · 2 comments

Basically, when the SAN of a server's cert contains an IP address entry, AV-98 breaks when attempting to connect to the server. You can generate such a cert with a command like:

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
  -keyout localhost.key -out localhost.crt -subj "/CN=7f000001.nip.io" \
  -addext "subjectAltName=DNS:7f000001.nip.io,IP:127.0.0.1"

Then run a Gemini server on localhost with localhost.{key|crt}, and attempt to access it from AV-98. The error that results is "'IPv4Address' object has no attribute 'count'", which happens because AV-98's handling of SAN when using cryptography doesn't distinguish DNS entries from IP entries in the SAN.

(Note: I actually thought the issue lied in the Python stdlib ssl library since the issue was from a ssl.* function, and got halfway through filing a Python bug report before I decided to double check and realized what was actually going on.)

Basically, when the SAN of a server's cert contains an IP address entry, AV-98 breaks when attempting to connect to the server. You can generate such a cert with a command like: ``` openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \ -keyout localhost.key -out localhost.crt -subj "/CN=7f000001.nip.io" \ -addext "subjectAltName=DNS:7f000001.nip.io,IP:127.0.0.1" ``` Then run a Gemini server on localhost with `localhost.{key|crt}`, and attempt to access it from AV-98. The error that results is "'IPv4Address' object has no attribute 'count'", which happens because AV-98's handling of SAN when using `cryptography` doesn't distinguish DNS entries from IP entries in the SAN. (Note: I actually thought the issue lied in the Python stdlib ssl library since the issue was from a ssl.\* function, and got halfway through filing a Python bug report before I decided to double check and realized what was actually going on.)
Owner

Thanks for this report and sorry for my slow response time! I just tried to replicate this issue but wasn't able to. Which Gemini server are you using? It's not clear to me at all why this would be server-specific, but figured I'd check...

Thanks for this report and sorry for my slow response time! I just tried to replicate this issue but wasn't able to. Which Gemini server are you using? It's not clear to me at all why this would be server-specific, but figured I'd check...
Author

Hmm... strange. The command in question was the command to generate the test certificate for my Big Tiddy Gemini Server. This shouldn't be server specific though, since the problem is with how AV-98 handles the cert, not with how the server sends the cert.

Hmm... strange. The command in question *was* the command to generate the test certificate for my [Big Tiddy Gemini Server](https://github.com/MineRobber9000/btgs). This shouldn't be server specific though, since the problem is with how AV-98 handles the cert, not with how the server sends the cert.
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: solderpunk/AV-98#28
No description provided.