New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IP-based SAN support #2047
base: integration
Are you sure you want to change the base?
IP-based SAN support #2047
Conversation
Some (not unexpected) issues with how some OSes detect |
And doing a little more research on this, looks like |
It might be worth checking with the author of that patch so see what their motivation was. I don't have a strong opinion either way. If we use inet_aton we'll need to grab the configure/meson code that makes inet_aton/inet_pton work. Defining _GNU_SOURCE here is not going to work (yes, I get that this is temporary). |
Yeah, looks like it was Peter E; will shoot him an email. |
No response from him yet at this point; here's what the man page says:
From these docs, I'm not seeing something that seems overly restrictive by just using inet_pton(). Do you see anything more concerning here? |
I think it looks reasonable to just use |
Okay, tweaked that and fixed a few other things; looks like it's at least compiling without complaints, which is a start... 😁. Will review after existing checks run. |
@dwsteele looks like everything is happy but code coverage now. |
Yeah, looks like coverage is next. The main test cert will need to be rebuilt, see Then we'll need some new tests right around line 610 in |
The existing SAN code only recognizes DNS-based SANs, which means that it won't properly validate if using a SAN with an IP-based one. This PR adds support for IPv4, and if the OS supports it, IPv6. The current support is exact matching only.
This support would have simplified testing in a few occasions where many cert generation tools have trouble generating a DNS:1.2.3.4-style address, preferring to include the SAN as IP:1.2.3.4.
Needs tests, but this is POC of the feature.