Issue 804349 link

Starred by 2 users

Issue metadata

Status:	Verified
Owner:	rsleevi@chromium.org
Closed:	Jan 2018
Cc:	rsleevi@chromium.org awhalley@chromium.org
Components:	Internals>Network>Certificate
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug
M-66

Blocked on:
issue 803791

Show other hotlists

Hotlists containing this issue:
Hotlist-1

Remove commonName falback code

Project Member Reported by rsleevi@chromium.org, Jan 22 2018

Issue description

With the removal of EnableCommonNameFallbackForLocalAnchors Enterprise Policy, all of the supporting logic for matching certificates against commonNames within certificates without SANs can be removed, reducing both complexity and attack surface.

Project Member

Comment 1 by bugdroid1@chromium.org, Jan 23 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81

commit def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Tue Jan 23 21:12:24 2018

Remove Common Name Fallback code

Use of the common name for matching the hostname is fundamentally
insecure, as it allows for the bypass of security controls within
certificates. Remove the remaining aspects of supporting logic that
allow common name fallback, which were enabled by Enterprise Policy,
now that the Enterprise Policy has been removed.

BUG:  804349 

Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I6e595f106b0d989935c9edc0d4c02e9a0f0f4584
Reviewed-on: https://chromium-review.googlesource.com/878901
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Misha Efimov <mef@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531345}
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/chrome/browser/ssl/ssl_browsertest.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/chrome/test/data/webui/net_internals/log_view_painter.js
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/components/cronet/android/cert/cert_verifier_cache_serializer.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/components/cronet/android/cert/proto/cert_verification.proto
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/components/ssl_config/ssl_config_prefs.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/components/ssl_config/ssl_config_prefs.h
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/components/ssl_config/ssl_config_service_manager_pref.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/cert_verifier.h
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/cert_verify_proc.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/cert_verify_proc_unittest.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/cert_verify_result.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/cert_verify_result.h
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/multi_threaded_cert_verifier.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/x509_certificate.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/x509_certificate.h
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/cert/x509_certificate_unittest.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/log/net_log_event_type_list.h
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/quic/chromium/quic_connection_logger.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/quic/chromium/quic_network_transaction_unittest.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/quic/chromium/quic_stream_factory_test.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/quic/test_tools/mock_crypto_client_stream.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/spdy/chromium/spdy_session.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/ssl/ssl_config.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/ssl/ssl_config.h
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/ssl/ssl_config_service.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/ssl/ssl_config_service_unittest.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/tools/cert_verify_tool/verify_using_cert_verify_proc.cc
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/tools/testserver/minica.py
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/net/tools/testserver/testserver.py
[modify] https://crrev.com/def35f6b91ebf7afcf90c4bbd8c0eacaf8876b81/services/network/public/cpp/network_param_ipc_traits.cc

Comment 2 by rsleevi@chromium.org, Jan 27 2018

Status: Verified (was: Assigned)

Comment 3 by rsleevi@chromium.org, Jan 27 2018

Cc: rsleevi@chromium.org awhalley@chromium.org

 Issue 781806  has been merged into this issue.

►

Issue 804349 link

Issue metadata

Remove commonName falback code

Issue description

Comment 1 by bugdroid1@chromium.org, Jan 23 2018

Comment 1 Deleted

Comment 2 by rsleevi@chromium.org, Jan 27 2018

Comment 2 Deleted

Comment 3 by rsleevi@chromium.org, Jan 27 2018

Comment 3 Deleted

Sign in to add a comment