[gnutls-devel] Overly permissive hostname matching
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Mar 18 15:23:08 CET 2014
On 03/18/2014 04:40 AM, Nikos Mavrogiannopoulos wrote:
> That's a very interesting point, but I am not sure there is an easy
> fix. GnuTLS follows RFC2818 for hostname verification, and that
> document is pretty clear on the scope of the wildcards. It mentions
> for example: "f*.com matches foo.com". Maybe we can forbid a first
> level wildcard, but is that practice documented somewhere? I don't see
> any IETF documents updating RFC2818.
RFC 2818 is a web-specific reference, so it doesn't cover all uses of
TLS; the CA/Browser Forum baseline requirements section 11.1.3 covers
what CAs are supposed to do about wildcard issuance:
https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_6.pdf
the CABForum guidelines have no mention of any on mixed
wildcard/non-wildcard labels in the CN or dNSNames, which makes me think
they haven't even been considered. I don't think f*.com is a reasonable
thing for modern CAs to issue.
for other IETF references, RFC 6125 has some useful material, though it
explicitly deprecates wildcards, only recommending their use for
backward/legacy compatibility:
https://tools.ietf.org/html/rfc6125#section-6.4.3
https://tools.ietf.org/html/rfc6125#section-7.2
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140318/3417b549/attachment.sig>
More information about the Gnutls-devel
mailing list