[gnutls-devel] Overly permissive hostname matching

Jeffrey Walton noloader at gmail.com
Tue Mar 18 07:11:02 CET 2014

I believe GnuTLS has a security flaw in its certificate hostname matching code.

In the attached server certificate, the hostname is provided via a
Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com".
Also attached is the default CA, which was used to sign the server's

Effectively, wget accepts a single certificate for the gTLD of .COM.
That's probably bad. If a CA is compromised, then the compromised CA
could issue a "super certificate" and cover the entire top level
domain space.

I suspect wget also accepts certificates for .COM's friends, like
.NET, .ORG, .MIL, etc.

Its probably not limited to gTLDs. Mozilla maintains a list of
effective TLDs at https://wiki.mozilla.org/Public_Suffix_List. The
1600+ effective TLDs are probably accepted, too.

Attached are the certificates, keys, and commands to set up a test rig
with OpenSSL's s_server. The certificates are issued for example.com,
and require a modification to /etc/hosts to make things work as

Jeffrey Walton
Baltimore, MD, US

$ echo -e "GET / HTTP/1.0\r\n" | gnutls-cli --x509cafile
ca-rsa-cert.pem example.com --port 8443
Processed 1 CA certificate(s).
Resolving 'example.com'...
Connecting to ''...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `O=Example\, LLC,CN=Example Certificate', issuer
`C=USO=Example\, LLC,CN=Example CA', RSA key 2048 bits, signed using
RSA-SHA256, activated `2014-01-01 00:00:00 UTC', expires `2024-01-01
00:00:00 UTC', SHA-1 fingerprint
- The hostname in the certificate matches 'example.com'.
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- Compression: NULL
- Handshake was completed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hostname-verification.tar.gz
Type: application/x-gzip
Size: 6409 bytes
Desc: not available
URL: </pipermail/attachments/20140318/5a1e0612/attachment-0001.bin>

More information about the Gnutls-devel mailing list