[squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 6 04:29:17 UTC 2016
On 25/08/2016 3:31 a.m., Christos Tsantilas wrote:
> When comparing the requested domain name with a certificate Common Name,
> Squid expanded wildcard to cover more than one domain name label (a.k.a
> component), violating RFC 2818 requirement[1]. For example, Squid
> thought that wrong.host.example.com matched a *.example.com CN.
>
> [1] "the wildcard character * ... is considered to match any single
> domain name component or component fragment. E.g., *.a.com matches
> foo.a.com but not bar.foo.a.com".
>
> In other contexts (e.g., ACLs), wildcards expand to all components.
> matchDomainName() now accepts a mdnRejectSubsubDomains flag that selects
> the right behavior for CN match validation.
>
> The old boolean honorWildcards parameter replaced with a flag, for
> clarity and consistency sake.
>
> This patch also handles the cases where the host name consists only from
> dots (eg malformed Host header or SNI info). The old code has undefined
> behaviour in these cases. Moreover it handles the case a certificate
> contain zero length string as CN or alternate name.
>
> This is a Measurement Factory project.
>
in matchDomainName you removed the comment:
"
* This is a match only if the first domain character
* is a leading '.'.
"
That comment is still true. The squid.conf domain still needs to begin
with a '.' for the match to return true from that if-statement.
What you are changing is that other flag conditions also apply.
Other than that +1. Please apply ASAP.
Amos
More information about the squid-dev
mailing list