iOS Ignores Critical X509v3 Name Constraints
||Date Originated:||25-Sep-2014 03:36 PM|
|Status:||Duplicate of 10112492 (Open)
18461300iOS Ignores Critical X509v3 Name Constraints
Alfred Karl Kornel25-Sep-2014 03:36 PM
Summary: iOS does not seem to enforce DNS Name Constraints specified by a root certificate. That's fine, as long as such constraints are not marked as critical. If iOS encounters a trusted root containing a critical Name Constraints extension, iOS will still allow connections to servers whose SSL certificate does not match the name constraints of the issuing CA.
Steps to Reproduce: 1: Install the CA from the following URL: https://www.dropbox.com/s/8dlt80xypxu18a1/buttonmash_ca.pem?dl=0
The Settings app will warn that the CA cannot be verified. That is OK.
2: Browse to the following site: https://buttonmash.karl.kornel.us
3: Browse to the following site: https://buttonmash.karl.kornel.name
Expected Results: I expected Safari to refuse to load either site, because the sites were using certs issued by a root containing a critical extension which iOS is not able to honor.
Actual Results: Safari displayed both web pages, including the lock icon indicating that the connection was secure.
Version: iOS 8.0 (12A365)
Notes: The test servers I made which demonstrate this issue will probably not be up for more than 30 days, unless I can remember to regenerate the CRL for the test CA.
Configuration: IPhone 5 16 GB Sprint
Reports posted here will not necessarily be seen by Apple.
All problems should be submitted at bugreport.apple.com before they are posted here.
Please only post information for Radars that you have filed yourself, and please do
not include Apple confidential information in your posts. Thank you!