[gnutls-devel] Overly permissive hostname matching

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 18 15:23:08 CET 2014

On 03/18/2014 04:40 AM, Nikos Mavrogiannopoulos wrote:
> That's a very interesting point, but I am not sure there is an easy
> fix. GnuTLS follows RFC2818 for hostname verification, and that
> document is pretty clear on the scope of the wildcards. It mentions
> for example: "f*.com matches foo.com". Maybe we can forbid a first
> level wildcard, but is that practice documented somewhere? I don't see
> any IETF documents updating RFC2818.

RFC 2818 is a web-specific reference, so it doesn't cover all uses of
TLS; the CA/Browser Forum baseline requirements section 11.1.3 covers
what CAs are supposed to do about wildcard issuance:


the CABForum guidelines have no mention of any on mixed
wildcard/non-wildcard labels in the CN or dNSNames, which makes me think
they haven't even been considered.  I don't think f*.com is a reasonable
thing for modern CAs to issue.

for other IETF references, RFC 6125 has some useful material, though it
explicitly deprecates wildcards, only recommending their use for
backward/legacy compatibility:



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140318/3417b549/attachment.sig>

More information about the Gnutls-devel mailing list