#583544 irssi only checks DNS entries in subjectaltname, not IP addresses

Package:
irssi
Source:
irssi
Description:
terminal based IRC client
Submitter:
Peter Palfrader
Date:
2010-05-28 09:12:05 UTC
Severity:
normal
#583544#5
Date:
2010-05-28 09:06:08 UTC
From:
To:
Irssi now checks that the name in the certificate of a sever actually
matches the name you try to connect to.

It does that by comparing the hostname to the CN and/or the entries in
the subjectAltName of the certificate.

However, when going through the subjectAltName entires it appears to
only look at DNS: entries, not at any existing IP-Address entries.

Consider this certificate[0]:

| X509v3 Subject Alternative Name:·
|     DNS:somehost-ilo, DNS:somehost-ilo.debian.org, DNS:localhost, IP Address:192.0.2.104

And then in irssi:
| /connect -ssl -ssl_verify -ssl_cafile ~/ca-oob.debian.org.crt 192.0.2.104 443
| 10:58 -!- Irssi: Looking up 192.0.2.104
| 10:58 -!- Irssi: Connecting to 192.0.2.104 [192.0.2.104] port 443
| 10:58 -!- Irssi: warning None of the Subject Alt Names in the certificate match hostname '192.0.2.104'
| 10:58 -!- Irssi: Connection lost to 192.0.2.104
| 10:58 -!- Irssi: Removed reconnection to server 192.0.2.104 port 443

Irssi probably should check the IP address entries of the cert, if the
server hostname has been given as just an IP address.

Cheers,
weasel

0: it's not from an irc server, but that doesn't matter here.
   Also, details redacted since it's not available on the public internet
   anyway.