[gnutls-devel] Overly permissive hostname matching

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Mar 18 09:40:29 CET 2014

On Tue, Mar 18, 2014 at 7:11 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> I believe GnuTLS has a security flaw in its certificate hostname matching code.
> In the attached server certificate, the hostname is provided via a
> Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com".
> Also attached is the default CA, which was used to sign the server's
> certificate.
> Effectively, wget accepts a single certificate for the gTLD of .COM.
> That's probably bad. If a CA is compromised, then the compromised CA
> could issue a "super certificate" and cover the entire top level
> domain space.

That's a very interesting point, but I am not sure there is an easy
fix. GnuTLS follows RFC2818 for hostname verification, and that
document is pretty clear on the scope of the wildcards. It mentions
for example: "f*.com matches foo.com". Maybe we can forbid a first
level wildcard, but is that practice documented somewhere? I don't see
any IETF documents updating RFC2818.

Maybe TLS-UTA [0], is a better discussion place for that.

[0]. https://tools.ietf.org/wg/uta/


More information about the Gnutls-devel mailing list