[squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]

Christos Tsantilas christos at chtsanti.net
Wed Aug 24 15:31:06 UTC 2016

When comparing the requested domain name with a certificate Common Name, 
Squid expanded wildcard to cover more than one domain name label (a.k.a 
component), violating RFC 2818 requirement[1]. For example, Squid 
thought that wrong.host.example.com matched a *.example.com CN.

     [1] "the wildcard character * ... is considered to match any single
     domain name component or component fragment. E.g., *.a.com matches
     foo.a.com but not bar.foo.a.com".

In other contexts (e.g., ACLs), wildcards expand to all components. 
matchDomainName() now accepts a mdnRejectSubsubDomains flag that selects 
the right behavior for CN match validation.

The old boolean honorWildcards parameter replaced with a flag, for 
clarity and consistency sake.

This patch also handles the cases where the host name consists only from 
dots (eg malformed Host header or SNI info). The old code has undefined 
behaviour in these cases. Moreover it handles the case a certificate 
contain zero length string as CN or alternate name.

This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-187-ErrorDomainName_for_Wildcard_Certificates-t4.patch
Type: text/x-patch
Size: 14600 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160824/0f58ff27/attachment.bin>

More information about the squid-dev mailing list