[squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]
Christos Tsantilas
christos at chtsanti.net
Wed Aug 24 15:31:06 UTC 2016
When comparing the requested domain name with a certificate Common Name,
Squid expanded wildcard to cover more than one domain name label (a.k.a
component), violating RFC 2818 requirement[1]. For example, Squid
thought that wrong.host.example.com matched a *.example.com CN.
[1] "the wildcard character * ... is considered to match any single
domain name component or component fragment. E.g., *.a.com matches
foo.a.com but not bar.foo.a.com".
In other contexts (e.g., ACLs), wildcards expand to all components.
matchDomainName() now accepts a mdnRejectSubsubDomains flag that selects
the right behavior for CN match validation.
The old boolean honorWildcards parameter replaced with a flag, for
clarity and consistency sake.
This patch also handles the cases where the host name consists only from
dots (eg malformed Host header or SNI info). The old code has undefined
behaviour in these cases. Moreover it handles the case a certificate
contain zero length string as CN or alternate name.
This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-187-ErrorDomainName_for_Wildcard_Certificates-t4.patch
Type: text/x-patch
Size: 14600 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160824/0f58ff27/attachment.bin>
More information about the squid-dev
mailing list