[openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
Sekwon Choi via RT
rt at openssl.org
Tue Aug 11 20:25:53 UTC 2015
Hi Viktor and Kurt,
Thanks for the quick response. I think I agree with you guys. I looked up
hostname RFC again (RFC952 and 1123), not URI RFC, and indeed, '_' and '~'
are not valid character to be used for hostname.
So technically, what openssl is doing is right. What makes tricky is that,
since there are many hostname using '_' in the wild, even libcurl seems not
to check '_' or '~' for hostname's validity.
I think hostname verification with those characters should be handled
outside of openssl context.
Thanks
Sekwon
On Tue, Aug 11, 2015 at 12:29 PM, openssl-dev at openssl.org via RT <
rt at openssl.org> wrote:
> On Tue, Aug 11, 2015 at 07:22:58PM +0000, Kurt Roeckx via RT wrote:
>
> > It looks to me that you're trying to validate an URL instead of a
> > hostname. I don't know of any standart that allows you to put a
> > URL in a certificate and it also doesn't make much sense.
>
> Certificates IIRC can have URI subjectAltNames, I don't recall
> whether we support matching these. If we did, that would certainly
> not be via X509_check_host(), there would have to be an X509_check_uri()
> interface.
>
> --
> Viktor.
>
>
>
More information about the openssl-dev
mailing list