[openssl-dev] [openssl.org #4239] [PATCH] fixing wildcard matching on punycode domains
Zi Lin via RT
rt at openssl.org
Fri Jan 15 15:32:12 UTC 2016
Hi OpenSSL Devs,
I have this bug fix for a broken wildcard matching on punycode domain
in OpenSSL. Specifically, the current implementation actually can't
match "www.xn--foobar.com" against a certificate using SAN
"*.xn--foobar.com". I filed a issue on github too.
https://github.com/openssl/openssl/issues/419
This patch fixes the problem and also introduces a good check/reject
on invalid domain names that starts with '-'. The wildcard matching
algorithm also needs some improvement, but that is out of the scope of
this bug fix.
The patch can be applied by "patch -p1 < puny-code-wildcard-match.patch".
My build system is Ubuntu 14.04, the version of OpenSSL targeted is
the master branch on github.
A separate fix for branch OpenSSL_1_0_2-stable is attached as well.
The reason we need that separate patch is the test file paths in
master and v1.0.2-stable deviated.
Any feedback is appreciated.
Best,
Zi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: puny-code-wildcard-match.patch
Type: application/octet-stream
Size: 3125 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160115/a70324bb/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: puny-code-wildcard-match-v102.patch
Type: application/octet-stream
Size: 3468 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160115/a70324bb/attachment-0001.obj>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list