[gnutls-devel] Overly permissive hostname matching

mancha mancha1 at hush.com
Wed Mar 19 03:48:57 CET 2014

On Tue, 18 Mar 2014 08:40:50 "Nikos Mavrogiannopoulos" wrote:
>That's a very interesting point, but I am not sure there is an 
>easy fix. GnuTLS follows RFC2818 for hostname verification, and
>that document is pretty clear on the scope of the wildcards. It
>mentions for example: "f*.com matches foo.com". Maybe we can
>forbid a first level wildcard, but is that practice documented
>somewhere? I don't see any IETF documents updating RFC2818.

Apropos, this is addressed client-side in different ways (e.g.):

1. Chromium (x509_certificate.cc)

 // Do not allow wildcards for public/ICANN registry controlled 
domains -
 // that is, prevent *.com or *.co.uk as valid presented names, but 
do not
 // prevent *.appspot.com (a private registry controlled domain).
 // In addition, unknown top-level domains (such as 'intranet' 
domains or
 // new TLDs/gTLDs not yet added to the registry controlled domain 
 // are also implicitly prevented.
 // Because |reference_domain| must contain at least one name 
component that
 // is not registry controlled, this ensures that all reference 
 // contain at least three domain components when using wildcards.
 size_t registry_length =

2. Mozilla (certdb.c)

 /* New approach conforms to RFC 6125. */
 char *wildcard    = PORT_Strchr(cn, '*');
 char *firstcndot  = PORT_Strchr(cn, '.');
 char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : 
 char *firsthndot  = PORT_Strchr(hn, '.');
 /* For a cn pattern to be considered valid, the wildcard 
  * - may occur only in a DNS name with at least 3 components, and
  * - may occur only as last character in the first component, and
  * - may be preceded by additional characters, and
  * - must not be preceded by an IDNA ACE prefix (xn--)
 if (wildcard && secondcndot && secondcndot[1] && firsthndot 
     && firstcndot  - wildcard  == 1 /* wildcard is last char in 
first component */
     && secondcndot - firstcndot > 1 /* second component is non-
empty */
     && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in 
cn */
     && !PORT_Strncasecmp(cn, hn, wildcard - cn)
     && !PORT_Strcasecmp(firstcndot, firsthndot)
        /* If hn starts with xn--, then cn must start with wildcard 
     && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
     /* valid wildcard pattern match */
     return SECSuccess;


PS Nikos, I posted this message earlier via gmane[1] but it seems to
have been routed to a defunct list[2] rather than the current 
Have you seen this before?

[2] https://lists.gnu.org/archive/html/gnutls-devel/2014-
[3] http://lists.gnutls.org/pipermail/gnutls-devel/2014-

More information about the Gnutls-devel mailing list