[openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Aug 11 21:42:46 UTC 2015
On Tue, Aug 11, 2015 at 08:25:53PM +0000, Sekwon Choi via RT wrote:
> Hi Viktor and Kurt,
>
> Thanks for the quick response. I think I agree with you guys. I looked up
> hostname RFC again (RFC952 and 1123), not URI RFC, and indeed, '_' and '~'
> are not valid character to be used for hostname.
>
> So technically, what openssl is doing is right. What makes tricky is that,
> since there are many hostname using '_' in the wild, even libcurl seems not
> to check '_' or '~' for hostname's validity.
>
> I think hostname verification with those characters should be handled
> outside of openssl context.
When processing DNS name wildcards it is appropriate to ensure that
one is actually dealing with valid DNS names. If certificates
contain garbage in subjectAltName components of type DNSName, then
they won't be matched by X509_check_host().
Perhaps we should also check for correct hostname syntax when
processing non-wildcard names (exact case-insensitive comparison
with user supplied name), and may do so in the future, but I see
no reason to relax the rules that ensure name validity in the
wildcard case.
--
Viktor.
More information about the openssl-dev
mailing list