[TS-4480] Wildcards in certificates should only match one level - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 7.0.0
Component/s: Core, SSL
Labels:
None

Description

According to RFC 6125 section 6.4.3:

If the wildcard character is the only character of the left-most label in the presented identifier, the client SHOULD NOT compare against anything but the left-most label of the reference identifier (e.g., *.example.com would match foo.example.com but not bar.foo.example.com or example.com).

In the current implementation, certificates are searched for in a trie, and the longest match is returned, but there is no check if that match complies with the above rule. This causes invalid certs to be returned and SLL errors in the browser (in Firefox, we get SSL_ERROR_BAD_CERT_DOMAIN).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

current_patch.diff
02/Jun/16 00:03
4 kB
Michael Sokolnicki

Issue Links

links to

GitHub Pull Request #992

GitHub Pull Request #1019

Activity

People

Assignee:: Susan Hinrichs

Reporter:: Michael Sokolnicki

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 24/May/16 22:46

Updated:: 07/Nov/16 23:25

Resolved:: 13/Sep/16 20:12

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: