[Patch] Non-permissive subjectAltName wildcard

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun May 4 15:48:40 CEST 2008

Andreas Metzler wrote:
> Hello,
> this http://bugs.debian.org/479174 reported by Jean-Philippe Garcia
> Ballester:
> On 2008-05-03 Jean-Philippe Garcia Ballester <giga at le-pec.org> wrote:
>> It seems too me that the subjectAltName wildcard matching has strong 
>> constraints.
>> First, it allows only one wildcard. Since a wildcard can only match
>> a single domain component, multiple wildcards are useful (e.g.,
>> *.*.example.org). I did not see in the rfc 2818 such restriction.

Thank you for the patch. I need some clarifications before including it
though. Having such as permissive wildcard is quite dangerous. Why would
one specify *.*.example.org instead of the much simpler *.example.org?

>> Second, it only allows the wildcard to be at the beginning of the
>> hostname.  Since the rfc 2818 gives “f*.com” as an example, I
>> believe this is a false assert.

f*.com is not a good example :) I don't think that such a wildcard
certificate has a real world usage, and if any CA signs it would be at
error. Of course this applies to *.com as well...

Probably your point is for wildcards such as test*.gnutls.org?

>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>> not clearly stated in the rfc, but I believe it is reasonnable to
>> assume that if “f*.com” is allowed, then “f*o.com” should be allowed
>> as well.

What is your use case that does not work by the current simple wildcard?


More information about the Gnutls-devel mailing list