[openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
Sekwon Choi via RT
rt at openssl.org
Tue Aug 11 18:53:29 UTC 2015
Hi openssl team,
I would like to report a bug as below and patch for the fix.
[ Version affected ] :
1.0.2d (latest) and below (basically, all versions of openssl)
[ Operating system ] :
All
[ Bug description ] :
When we want to perform a host verification using openssl's APIs that use
X509_check_host, host URL that includes specific characters such as '_' or
'~' will be failing when CN from the certificate contains wildcard
character.
The reason is that, wildcard_match function in
openssl-version/crypto/x509v3/v3_utils.c is not handling '_' and '~' while
those are allowed character for URL.
(patch attached separately)
--- ./openssl-1.0.2d/crypto/x509v3/v3_utl.c 2015-07-09 04:57:15.000000000
-0700
+++ ../OpenSSL/openssl-1.0.2d/crypto/x509v3/v3_utl.c 2015-08-11
10:15:19.905814872 -0700
@@ -787,7 +787,7 @@
if (!(('0' <= *p && *p <= '9') ||
('A' <= *p && *p <= 'Z') ||
('a' <= *p && *p <= 'z') ||
- *p == '-' || (allow_multi && *p == '.')))
+ *p == '-' || *p == '_' || *p == '~' || (allow_multi && *p ==
'.')))
return 0;
return 1;
[ FYI ] :
RFC 3986 (Uniform Resource Identifier (URI): Generic Syntax)
https://tools.ietf.org/html/rfc3986#section-2.1
2.3. Unreserved Characters
Characters that are allowed in a URI but do not have a reserved
purpose are called unreserved. These include uppercase and lowercase
letters, decimal digits, hyphen, period, underscore, and tilde.
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
Suggested fix:
We propose to include '_' and '~' in wildcard_match function so that
hostname including those characters can be evaluated correctly.
Thanks
Sekwon Choi
senior software engineer
Netflix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wildcard_match.patch
Type: text/x-patch
Size: 499 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150811/9279313d/attachment.bin>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list