[gnutls-devel] GnuTLS | multiple certificates containing wildcards - squid 5.7 error (#1599)

Mon Oct 28 13:00:57 CET 2024

Mihael Milea created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1599

I have a setup with squid 5.7 (which uses GnuTLS) on debian 12 with multiple domains and Let's Encrypt certificates with wildcards for each domain. Let's say I have

domain1 with cert1 for domain1 *.domain1
domain2 with cert2 for domain2, *.domain2

the squid.conf contains:

https_port 443 accel defaultsite=something \
    tls-cert=/cert1/fullchain.pem tls-key=/cert1/privkey.pem \
    tls-cert=/cert2/fullchain.pem tls-key=/cert2/privkey.pem

Now the result:

https://domain1 => good, squid uses cert1
https://subdomain.domain1 => good, squid uses cert1
https://domain2 => good, squid uses cert2
https://subdomain.domain2 => BAD, squid fails to identify that this is a subdomain of domain2 that matches the wild card *.domain2 and then squid deploys cert1 instead, resulting in a browser warning that the certificate is not for the requested subdomain.domain2!

I submitted this as a bug in the squid bug report - https://bugs.squid-cache.org/show_bug.cgi?id=5467 - and I was told that it is GnuTLS that identifies which subdomain.domain combination is used and it is also GnuTLS that chooses which certificate to deploy - is this true? If yes, then the bug is about GnuTLS failing to identify a certificate generated with wildcards when a subdomain of that domain is used.

Thank you for any help and input!

mihael

## Version of gnutls used: I don't know how to identify which GnuTLS version was used when squid 5.7 was compiled for debian 12.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1599
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241028/22f45c18/attachment.html>