Does Chrome support X509v3 Permitted Name Constraints?

google-chrome ssl ssl-certificate

I'm trying to set permitted name constraints on a private CA certificate. For example, I have the following constraints on my root certificate

X509v3 Name Constraints: critical
     Permitted:
       DNS:.mytestdomain.local
       DNS:mytestdomain.local

I've issued a certificate for another domain anothertestdomain.local. Both the Common Name and Subject Alternative Names are set to that domain. When testing validation for that certificate, OpenSSL and Firefox both fail with a Permitted Subtree Violation as expected. Chrome, however, accepts that certificate. Is this expected under Chrome?

I'm testing with Chromium on Linux.


Solution 1:

You can use BetterTLS to check the Name Constraints support of various clients. It's open source and made by the Netflix team.

BetterTLS is a test suite for HTTPS clients implementing verification of the Name Constraints certificate extension.

It works for the browser and for non-browser clients (like Java and Python).

Solution 2:

According to this Chromium bug, what you're experiencing is intended functionality. https://bugs.chromium.org/p/chromium/issues/detail?id=1072083

It sounds like you're placing nameConstraints on the root, which is not supported, not only in Chrome, but many major PKI implementations. That's because RFC 5280 does not require such support; imported root certificates are treated as trust anchors (that is, only the Subject and SPKI are used, not other extensions).

If you place the constraints on the intermediate, this should work as intended. The net-internals log and full chain will help confirm, in which case, this may be WontFix/WorkingAsIntended.

I have not verified either way, but apparently the functionality you're after works (or worked) on Chromium on MacOS, but it seems like that's short-lived.

I guess what threw me off is that macOS's SSL stack, the latest OpenSSL, and the latest stable Firefox were all were honoring nameConstraints on the root cert

Yeah, the inconsistency between platforms is something we're aware of, and we're in the process of aligning Chrome platforms to the Chrome on Linux behaviour (that is, treating the root cert as a trust anchor). The Firefox change was a recent change, and partially motivated by a publicly-trusted CA request (a consortium of Greek universities)

Related

RAID-5 inoperable, but no disk failure
OpenVPN - ERROR: Linux route add command failed: external program exited with error status: 2
LOW IOPS after MySQL RDS Upgrade
In e-mail, is there such a thing as a "to string"?
IP replace default outbound [closed]
Ubuntu 16.04 Virtual Machine / XenServer Storage Extend Issue
How to make sure docker service will start after containerd upgrade?
Is it possible to detect NICs in network that are connected to a router but belong to machines that are shutdown
Split DNS configuration: can't update external zone from internal system using nsupdate
How can I display the execution plan for a stored procedure?
Using Vi, Vim, or GVim as an IDE
UNIX Domain sockets vs Shared Memory (Mapped File)