[squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]
Christos Tsantilas
christos at chtsanti.net
Mon Sep 5 08:42:07 UTC 2016
If no any objection I will apply this patch to trunk.
On 08/24/2016 06:31 PM, Christos Tsantilas wrote:
> When comparing the requested domain name with a certificate Common Name,
> Squid expanded wildcard to cover more than one domain name label (a.k.a
> component), violating RFC 2818 requirement[1]. For example, Squid
> thought that wrong.host.example.com matched a *.example.com CN.
>
> [1] "the wildcard character * ... is considered to match any single
> domain name component or component fragment. E.g., *.a.com matches
> foo.a.com but not bar.foo.a.com".
>
> In other contexts (e.g., ACLs), wildcards expand to all components.
> matchDomainName() now accepts a mdnRejectSubsubDomains flag that selects
> the right behavior for CN match validation.
>
> The old boolean honorWildcards parameter replaced with a flag, for
> clarity and consistency sake.
>
> This patch also handles the cases where the host name consists only from
> dots (eg malformed Host header or SNI info). The old code has undefined
> behaviour in these cases. Moreover it handles the case a certificate
> contain zero length string as CN or alternate name.
>
> This is a Measurement Factory project.
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>
More information about the squid-dev
mailing list