| ▲ | tialaramex 2 days ago |
| One of the things this gestures at might as well get a brief refresher here: Subject Alternative Name (SAN) is not an alternative in the sense that it's an alias, SANs exist because the X.509 certificate standard is, as its name might suggest, intended for the X.500 directory system, a system from the 20th century which was never actually deployed. Mozilla (back then the Netscape Corporation) didn't like re-inventing wheels and this standard for certificates already existed so they used it in their new "Secure Sockets" technology but it has no Internet names so at first they just put names in plain text. However, X.500 was intended to be infinitely extensible, so we can just invent an alternative naming scheme, and that's what the SANs are, which is why they're mandatory for certificates in the Web PKI today - these are the Internet's names for things, so they're mandatory when talking about the Internet, they're described in detail in PKIX, the IETF document standardising the use of X.500 for the Internet. There are several types of name we can express as SANs but in a certificate the two you'll commonly see are dnsName - the same ASCII names you'd see in URLs like "news.ycombinator.com" or "www.google.com" and ipAddress - a 32-bit integer typically spelled as four dotted decimals 10.20.30.40 [yes or an IPv6 128-bit integer will work here, don't worry] Because the SANs aren't just free text a machine can reliably parse them which would doubtless meet Rachel's approval. The browser can mindlessly compare the bytes in the certificate "news.ycombinator.com" with the bytes in the actual DNS name it looked up "news.ycombinator.com" and those match so this cert is for this site. With free text in a CN field like a 1990s SSL certificate (or, sadly, many certificates well into the 2010s because it was difficult to get issuers to comply properly with the rules and stop spewing nonsense into CN) it's entirely possible to see a certificate for " 10.200.300.400" which well, what's that for? Is that leading space significant? Is that an IP address? But those numbers don't even fit in one byte each I hope our parser copes! |
|
| ▲ | fanf2 2 days ago | parent | next [-] |
| Tedious and pedantic note: You can’t mindlessly compare the bytes of the host name: you have to know that it’s the presentation format of the name, not the DNS wire format; you have to deal with ASCII case insensitivity; you have to guess what to do about trailing dots (because that isn’t specified); you have to deal with wildcards (being careful to note that PKIX wildcard matching is different from DNS wildcard matching). It’s not as easy as it should be! |
| |
| ▲ | tialaramex 2 days ago | parent [-] | | In practice it's much easier than you seem to have understood The names PKIX writes into dnsName are exactly the same as the hostnames in DNS. They are defined to always be Fully Qualified, and yet not to have a trailing dot, you don't have to like that but it's specified and it's exactly how the web browsers worked already 25+ years ago. You're correct that they're not the on-wire label-by-label DNS structure, but they are the canonical human readable DNS name, specifically the Punycode encoded name, so [the website] https://xn--j1ay.xn--p1ai/ the Russian registry which most browsers will display with Cyrllic, has its names stored in certificates the same way as it is handled in DNS, as Punycode "xn--j1ay.xn--p1ai". In software I've seen the label-by-label encoding stuff tends to live deep inside DNS-specific code, but the DNS name needed for comparing with a certificate does not do this. You don't need to "deal with" case except in the sense that you ignore it, DNS doesn't handle case, the dnsName in SANs explicitly doesn't carry this, so just ignore the case bits. Your DNS client will do the case bit wiggling entropy hack, but that's not in code the certificate checking will care about. You do need to care about wildcards, but we eliminated the last very weird certificate wildcards because they were minted only by a single CA (which argued by their reading they were obeying PKIX) and that CA is no longer in business 'cos it turns out some of the stupid things they were doing even a creative lawyerly reading of specifications couldn't justify. So the only use actually enabled today is replacing one DNS label at the front of the name. Nothing else is used, no suffixes, no mid-label stuff, no multi-label wildcards, no labels other than the first. Edited to better explain the IDN situation hopefully | | |
| ▲ | cryptonector 2 days ago | parent [-] | | > You don't need to "deal with" case except in the sense that you ignore it, DNS doesn't handle case The DNS is case-insensitive, though only for ASCII. So you have to compare names case-insensitively (again, for ASCII). It _is_ possible to have DNS servers return non-lowercase names! E.g., way back when sun.com's DNS servers would return Sun.COM if I remember correctly. So you do have to be careful about this, though if you do a case-sensitive, memcmp()-like comparison, 999 times out of 1,000 everything will work, and you won't fail open when it doesn't. | | |
| ▲ | tialaramex a day ago | parent [-] | | You're correct that your DNS queries and answers can set the case bit, but the protocol design always said that while the answers must match the query, the case isn't actually significant. For a long time that's just an obscure Um Actually nerd trivia question, but traditional (before DPRIVE) DNS is very old and is mostly a UDP protocol, so people try to spoof it, let's follow that story: At first: The only anti-spoof defence provided in DNS is an ID number, initially people are like 1, 2, 3, 4, 5... and so the attacker watches you use these IDs then makes you ask a question, "6: A? mybank.example" and simultaneously they answer "6: A 10.20.30.40" before your real DNS server could likely respond - choosing their own IP address. Six is the expected ID, you just got spoofed and will visit their fake bank. So then: DNS clients get smarter using randomisation for the ID, 23493, 45390, 18301... this helps considerably, but bandwidth is cheap and those IDs are only 16-bit so a bad guy can actually send you 65536 answers and get a 100% success rate with spoofing, or more realistically maybe they send 1000 answers and still have more than 1% success. Today as a further improvement, we use Paul Vixie's bit 0x20 hack which uses every letter of a DNS label to hide one bit of entropy in the case in addition to the random ID. Now the attacker has to try not only different IDs but different case spellings, A? mYbANk.eXAmpLE or maybe A? MyBANk.EXAMple or A? mybaNK.EXamPLE -- only responses with the right case match, the others are ignored. So, because of all this security shenanigans, your DNS client knows that case in DNS queries doesn't matter and will do what we want for this purpose. [Edited: fixed a few typos] |
|
|
|
|
| ▲ | p_ing 2 days ago | parent | prev | next [-] |
| Did browsers ever strictly require a SAN; they certainly didn't even as of ~10 years ago? Yes, it is "required", but CN only has worked for quite some time. I find this tricks up some IT admins who are still used to only supplying a CN and don't know what a SAN is. |
| |
| ▲ | tialaramex 2 days ago | parent [-] | | > Did browsers ever strictly require a SAN; Yes, all the popular browsers require this. > they certainly didn't even as of ~10 years ago? That's true, ten years ago it was likely that if a browser required this they would see unacceptably high failure rates because CAs were non-compliant and enforcement wasn't good enough. Issuing certs which would fail PKIX was prohibited, but so is speeding and yet people do that every day. CT improved our ability to inspect what was being issued and monitor fixes. > Yes, it is "required", but CN only has worked for quite some time. No trusted CA will issue "CN only" for many years now, if you could obtain such a certificate you'd find it won't work in any popular browser either. You can read the Chromium or Mozilla source and there just isn't any code to look in CN, the browser just parses the SANs. > I find this tricks up some IT admins who are still used to only supplying a CN and don't know what a SAN is. In most cases this is a sign you're using something crap like openssl's command line to make CSRs, and so you're probably expending a lot of effort filling out values which will be ignored by the CA and yet not offered parameters you did need. | | |
| ▲ | p_ing 2 days ago | parent [-] | | You're forgetting that browsers deal with plenty of internal-only CAs. Just because a public CA won't issue a CN only cert doesn't mean an internal CA won't. That is why I'm curious to know if browsers /strictly/ require SANs, yet. Not something I've tested in a long time since I started supporting public-only websites/cloud infra. As you noted about OpenSSL, Windows CertSvr will allow you to do CN only, too. | | |
| ▲ | tialaramex 2 days ago | parent [-] | | I mean, no, I'm not forgetting that, of course your private CA can issue whatever nonsense you like, to this day - and indeed several popular CAs are designed to do just that as you noted. Certificates which ignore this rule won't work in a browser though, or in some other modern software. Chromium published an "intent to remove" and then actually removed the CN parsing in 2017, at that point EnableCommonNameFallbackForLocalAnchors was available for people who were still catching up to policy from ~15 years ago. The policy override flag was removed in 2018, after people had long enough to fix their shit. Mozilla had already made an equivalent change before that, maybe it worked for a few more years in Safari? I don't have a Mac so no idea. |
|
|
|
|
| ▲ | skissane 10 hours ago | parent | prev [-] |
| > the X.500 directory system, a system from the 20th century which was never actually deployed X.500 really was deployed – never at the scale the designers originally intended, as a single global directory system – but, as an enterprise directory system, yes it was – and it still survives in that role today, albeit as a legacy niche. LDAP is a direct descendant of X.500 – it was basically taking the X.500 Directory Access Protocol (DAP, X.511), simplifying it somewhat, and porting it to run on top of TCP instead of OSI TP. Many early LDAP servers were just X.500 DAP servers with LDAP support added as an additional feature–and if you read the LDAP RFCs, large parts of them were written with that assumption, and don't make much sense unless you understanding the X.500 underpinnings Nowadays, the most popular LDAP servers never implemented X.500, and few bother to implement the full set of X.500 semantics which LDAP supports – although one of the infuriating things about LDAP is that every implementation is a slightly different subset of the X.500 feature set. X.400 survives in some applications–it is the basis of the NATO standard Military Message Handling System (MMHS) and also the Aeronautical Message Handling System (AMHS) used by commercial aircraft – and X.400 and X.500 were designed to be used together. I know vendors like Thales Group still sell X.500 directory servers for use with AMHS (and probably MMHS too) Isode still sells M-Vault which supports both LDAP and X.500 DAP (X.511) – primarily for military applications |
