[openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
Kurt Roeckx via RT
rt at openssl.org
Tue Aug 11 19:22:58 UTC 2015
On Tue, Aug 11, 2015 at 06:53:29PM +0000, Sekwon Choi via RT wrote:
> When we want to perform a host verification using openssl's APIs that use
> X509_check_host, host URL that includes specific characters such as '_' or
> '~' will be failing when CN from the certificate contains wildcard
> character.
>
> The reason is that, wildcard_match function in
> openssl-version/crypto/x509v3/v3_utils.c is not handling '_' and '~' while
> those are allowed character for URL.
It's checking the hostname, not the URL. _ and ~ are not allowed
in DNS and so not in a hostname.
It looks to me that you're trying to validate an URL instead of a
hostname. I don't know of any standart that allows you to put a
URL in a certificate and it also doesn't make much sense.
Kurt
More information about the openssl-dev
mailing list