Fix invalid DNS SAN entries #795
Conversation
|
Do we need to sanitize this? Should we be returning an error instead? It seems like if we strip out characters we are effectively making the certificate unusable. A client can then never connect to the server because the cert SAN and hostname in the request will always be different. This seems like we are effectively silently failing. |
|
@myagley Are you asking if we should do this sort of sanitization for module ID SAN entries as well? In the Kubernetes case this turned out to be necessary for Edge Hub since the module ID is I suppose we could special-case Edge Hub and error out in the general case if the module ID isn't a valid DNS name. For the subject name case, this PR removes sanitization (still makes it lower case though) and basically allows any arbitrary string. This fixes a regression. |
|
@myagley suggested using the sanitization rules per: http://man7.org/linux/man-pages/man7/hostname.7.html. @avranju does this work for the aforementioned scenario? |
|
Also I don't think this is a regression as the current changes merely bypass sanitization only for the hostname. Module IDs continue to be sanitized. |
|
@mrohera Sorry, I meant that what's in |
With the Kubernetes integration, module identifiers are used as the service name and here's the check that Kubernetes makes for service names:
Maybe we can leave the module ID SAN entry as-is and use the rules suggested above only for the common name? |
Changes here fix a situation where a edge device's host name that begins with number(s) [0-9] gets sanitized. For example host name "2019edgehost" is consumed as "edgehost". This has caused problems was observed when using VMs that begin with numbers since it appears to be permitted configuration contrary to RFC 1035. The changes involve passing the configured host name as is into the SAN entry without any modifications. The module id DNS entry continues to be sanitized.
This reverts commit a8148cc.
Changes here fix a situation where a edge device's host name that begins with number(s) [0-9] gets sanitized. For example host name "2019edgehost" is consumed as "edgehost". This has caused problems was observed when using VMs that begin with numbers since it appears to be permitted configuration contrary to RFC 1035. The changes involve passing the configured host name as is into the SAN entry without any modifications. The module id DNS entry continues to be sanitized.
* Fix invalid DNS SAN entries (#795) Changes here fix a situation where a edge device's host name that begins with number(s) [0-9] gets sanitized. For example host name "2019edgehost" is consumed as "edgehost". This has caused problems was observed when using VMs that begin with numbers since it appears to be permitted configuration contrary to RFC 1035. The changes involve passing the configured host name as is into the SAN entry without any modifications. The module id DNS entry continues to be sanitized. * Revert "Fix invalid DNS SAN entries (#795)" This reverts commit a8148cc. * prepare_dns_san_entries was allowing characters that are not A-Za-z0-9 (#736) * Fix invalid DNS SAN entries (#795) Changes here fix a situation where a edge device's host name that begins with number(s) [0-9] gets sanitized. For example host name "2019edgehost" is consumed as "edgehost". This has caused problems was observed when using VMs that begin with numbers since it appears to be permitted configuration contrary to RFC 1035. The changes involve passing the configured host name as is into the SAN entry without any modifications. The module id DNS entry continues to be sanitized.
Changes here fix a situation where a edge device's host name that begins with number(s) [0-9] gets sanitized. For example host name "2019edgehost" is consumed as "edgehost". This has caused problems was observed when using VMs that begin with numbers since it appears to be permitted configuration contrary to RFC 1035.
The changes involve passing the configured host name as is into the SAN entry without any modifications. The module id DNS entry continues to be sanitized.