Community discussions

MikroTik App
 
Kakashi
just joined
Topic Author
Posts: 2
Joined: Wed Jun 09, 2021 7:05 pm

SSTP-Certificate check Server IP

Wed Jun 09, 2021 7:18 pm

Hi everyone,

we had to renew our CA and certificates used in our SSTP setup. Our old server certificate had the IP as the CN, and the clients could validate the servers IP correctly. After we deployed the new CA and certificates, our clients can no longer validate the IP address which is written in the certificates CN and we get the error "server´s IP address does not match certificate".

The only difference we could spot, is that the old certificate had the other fields such as C=, ST= and O= set, whereas the new one only has the CN field. The RouterOS on the systems is rather old, v5.26 on the server and clients ranging from v5.26 to v6.32.2.

For now we disabled the function on the clients to check the servers IP address using the certificate so everything works for now, but it would be nice to now, if we made a mistake.

I hope someone here has an idea as to why this happens.

kind regards.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: SSTP-Certificate check Server IP

Fri Dec 17, 2021 2:16 pm

I can only speculate about your particular case, but I can tell you that TLS validation by IP is somewhat frowned upon in the wider TLS world since almost all use of TLS is over the Internet, where we can expect a single global DNS. I wouldn't be surprised if you're running into a system that blindly assumes DNS is the only way to validate a certificate or that DNS is first and IP is secondary.

I would try using the subject-alt-name field of X.509 v3 to try and get around this:

> /certificate
> add name=mycert common-name=myhostname subject-alt-name=DNS:myhostname,IP:10.1.2.3,DNS:althostname country=AB state=CD locality=Defghi organization=MyOrg unit="Organization IT" trusted=yes key-usage=tls-server
> sign ca=myCA mycert

I'm guessing on the correct value for key-usage. It may be correct but backwards: you might need tls-client if this is a client-side key. It might not matter; not all TLS implementations verify the keyUsage field. And it might need to be something else entirely.

The RouterOS on the systems is rather old, v5.26

Aside from the security problems it creates to keep using an 8-year-old OS release, you might simply have a TLS incompatibility. RouterOS must track such changes in order to communicate with web browsers and other TLS hosts, so you cannot expect its TLS implementation to remain static; if it did, it would eventually only be useful for RouterOS-to-RouterOS communication, as nothing else would talk to it.

If you think this is some MikroTik weakness, go try to get an 8-year-old web browser to talk to a properly tightened-down web server over HTTPS.

Who is online

Users browsing this forum: akakua, baragoon, ItchyAnkle, Lumpy, menyarito and 90 guests