[squid-dev] [PATCH] SSL CN wildcard must only match a single domain component [fragment]
Christos Tsantilas
christos at chtsanti.net
Wed Sep 7 10:06:59 UTC 2016
I am also attaching the squid-3.5 version of the applied patch.
On 09/06/2016 11:14 AM, Christos Tsantilas wrote:
> On 09/06/2016 07:29 AM, Amos Jeffries wrote:
>> On 25/08/2016 3:31 a.m., Christos Tsantilas wrote:
>>> When comparing the requested domain name with a certificate Common Name,
>>> Squid expanded wildcard to cover more than one domain name label (a.k.a
>>> component), violating RFC 2818 requirement[1]. For example, Squid
>>> thought that wrong.host.example.com matched a *.example.com CN.
>>>
>>> [1] "the wildcard character * ... is considered to match any single
>>> domain name component or component fragment. E.g., *.a.com matches
>>> foo.a.com but not bar.foo.a.com".
>>>
>>> In other contexts (e.g., ACLs), wildcards expand to all components.
>>> matchDomainName() now accepts a mdnRejectSubsubDomains flag that selects
>>> the right behavior for CN match validation.
>>>
>>> The old boolean honorWildcards parameter replaced with a flag, for
>>> clarity and consistency sake.
>>>
>>> This patch also handles the cases where the host name consists only from
>>> dots (eg malformed Host header or SNI info). The old code has undefined
>>> behaviour in these cases. Moreover it handles the case a certificate
>>> contain zero length string as CN or alternate name.
>>>
>>> This is a Measurement Factory project.
>>>
>>
>> in matchDomainName you removed the comment:
>> "
>> * This is a match only if the first domain character
>> * is a leading '.'.
>> "
>>
>> That comment is still true. The squid.conf domain still needs to begin
>> with a '.' for the match to return true from that if-statement.
>> What you are changing is that other flag conditions also apply.
>
> OK this comment was not removed.
>
>>
>> Other than that +1. Please apply ASAP.
>
> Applied to trunk as r14821.
>
>
>
>>
>> Amos
>>
>>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-187-ErrorDomainName_for_Wildcard_Certificates-squid-3.5-t4.patch
Type: text/x-patch
Size: 14550 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160907/b83055fe/attachment.bin>
More information about the squid-dev
mailing list