Error in parsing SSL certificates with email address

[ju916]

If you sprecify an (optional) email address in the certificate request, sslsniff adds it to the CN as part of the hostname. This results in invalid DNS lookups.

Example:

$ openssl req -new -nodes -keyout heise.key -out heise.csr -days 365
Generating a 1024 bit RSA private key
...
Common Name (eg, YOUR name) []:www.heise.de
Email Address []:[email protected]
...

$ openssl x509 -in certs/heise.crt -noout -text
...
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.heise.de/emailAddress=[email protected]
...
$ sslsniff -t -c ./certs/ -s 1414 -w x1.log
terminate called after throwing an instance of 'boost::exception_detail::clone_implboost::exception_detail::error_info_injector<boost::system::system_error >'
what(): Host not found (authoritative)
Abgebrochen

tcpdump shows, that sslsniff does a DNS query for "www.heise.de/emailAddress=[email protected]" which of course does not exist.

[ju916]

Previous was with sslsniff 0.8; rechecked with current version from github:

$ ./sslsniff -t -c ./certs/ -s 1414 -w x1.log
terminate called after throwing an instance of 'BadCertificateException'
what(): Could not parse certificate...
Abgebrochen

Better but still not really good because the certificate is perfectly valid and usable.

[artgoldberg]

openssl (LibreSSL 2.8.3) has the same problem.