[gnutls-devel] Overly permissive hostname matching
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Mar 19 14:22:06 CET 2014
On Wed, Mar 19, 2014 at 3:48 AM, mancha <mancha1 at hush.com> wrote:
> Apropos, this is addressed client-side in different ways (e.g.):
> 1. Chromium (x509_certificate.cc)
[...]
> 2. Mozilla (certdb.c)
[...]
Hello,
Indeed, I think that this should be changed in new versions of
gnutls. I think the mozilla rule of:
- may occur only in a DNS name with at least 3 components, and
Is a good one to start with. However, I'd appreciate if somebody could
bring that up to the TLS-UTA working group (I'm too busy to pursue
that). I think that the wildcard behaviour, if needed at all, should
be defined by an IETF document, rather than each implementation making
its own assumptions.
regards,
Nikos
> PS Nikos, I posted this message earlier via gmane[1] but it seems to
> have been routed to a defunct list[2] rather than the current
> one[3].
> Have you seen this before?
No, I haven't used gmane for posting. Is there anything I can do for
fixing that?
regards,
Nikos
More information about the Gnutls-devel
mailing list