Error in parsing SSL certificates with email address

[ju916]

If you sprecify an (optional) email address in the certificate request, sslsniff adds it to the CN as part of the hostname. This results in invalid DNS lookups.

Example:

$ openssl req -new -nodes -keyout heise.key -out heise.csr -days 365 Generating a 1024 bit RSA private key ... Common Name (eg, YOUR name) []:www.heise.de Email Address []:[email protected] ...

$ openssl x509 -in certs/heise.crt -noout -text ... Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.heise.de/[email protected] ... $ sslsniff -t -c ./certs/ -s 1414 -w x1.log terminate called after throwing an instance of 'boost::exception_detail::clone_implboost::exception_detail::error_info_injector<boost::system::system_error >' what(): Host not found (authoritative) Abgebrochen

tcpdump shows, that sslsniff does a DNS query for "www.heise.de/[email protected]" which of course does not exist.

[ju916]

Previous was with sslsniff 0.8; rechecked with current version from github:

$ ./sslsniff -t -c ./certs/ -s 1414 -w x1.log terminate called after throwing an instance of 'BadCertificateException' what(): Could not parse certificate... Abgebrochen

Better but still not really good because the certificate is perfectly valid and usable.

[artgoldberg]

openssl (LibreSSL 2.8.3) has the same problem.