[gnutls-devel] Overly permissive hostname matching

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Mar 19 14:22:06 CET 2014

On Wed, Mar 19, 2014 at 3:48 AM, mancha <mancha1 at hush.com> wrote:

> Apropos, this is addressed client-side in different ways (e.g.):
> 1. Chromium (x509_certificate.cc)
> 2. Mozilla (certdb.c)

 Indeed, I think that this should be changed in new versions of
gnutls. I think the mozilla rule of:
- may occur only in a DNS name with at least 3 components, and

Is a good one to start with. However, I'd appreciate if somebody could
bring that up to the TLS-UTA working group (I'm too busy to pursue
that). I think that the wildcard behaviour, if needed at all, should
be defined by an IETF document, rather than each implementation making
its own assumptions.


> PS Nikos, I posted this message earlier via gmane[1] but it seems to
> have been routed to a defunct list[2] rather than the current
> one[3].
> Have you seen this before?

No, I haven't used gmane for posting. Is there anything I can do for
fixing that?


More information about the Gnutls-devel mailing list