[squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]
Christos Tsantilas
christos at chtsanti.net
Tue Sep 6 08:14:07 UTC 2016
On 09/06/2016 07:29 AM, Amos Jeffries wrote:
> On 25/08/2016 3:31 a.m., Christos Tsantilas wrote:
>> When comparing the requested domain name with a certificate Common Name,
>> Squid expanded wildcard to cover more than one domain name label (a.k.a
>> component), violating RFC 2818 requirement[1]. For example, Squid
>> thought that wrong.host.example.com matched a *.example.com CN.
>>
>> [1] "the wildcard character * ... is considered to match any single
>> domain name component or component fragment. E.g., *.a.com matches
>> foo.a.com but not bar.foo.a.com".
>>
>> In other contexts (e.g., ACLs), wildcards expand to all components.
>> matchDomainName() now accepts a mdnRejectSubsubDomains flag that selects
>> the right behavior for CN match validation.
>>
>> The old boolean honorWildcards parameter replaced with a flag, for
>> clarity and consistency sake.
>>
>> This patch also handles the cases where the host name consists only from
>> dots (eg malformed Host header or SNI info). The old code has undefined
>> behaviour in these cases. Moreover it handles the case a certificate
>> contain zero length string as CN or alternate name.
>>
>> This is a Measurement Factory project.
>>
>
> in matchDomainName you removed the comment:
> "
> * This is a match only if the first domain character
> * is a leading '.'.
> "
>
> That comment is still true. The squid.conf domain still needs to begin
> with a '.' for the match to return true from that if-statement.
> What you are changing is that other flag conditions also apply.
OK this comment was not removed.
>
> Other than that +1. Please apply ASAP.
Applied to trunk as r14821.
>
> Amos
>
>
More information about the squid-dev
mailing list