[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Overly permissive hostname matching
From: |
mancha |
Subject: |
Re: Overly permissive hostname matching |
Date: |
Tue, 18 Mar 2014 15:25:33 +0000 (UTC) |
User-agent: |
Loom/3.14 (http://gmane.org/) |
Nikos Mavrogiannopoulos <nmav <at> gnutls.org> writes:
> That's a very interesting point, but I am not sure there is an easy
> fix. GnuTLS follows RFC2818 for hostname verification, and that
> document is pretty clear on the scope of the wildcards. It mentions
> for example: "f*.com matches foo.com". Maybe we can forbid a first
> level wildcard, but is that practice documented somewhere? I don't see
> any IETF documents updating RFC2818.
>
> Maybe TLS-UTA [0], is a better discussion place for that.
Apropos, this is addressed at the client level in different ways (e.g.):
1. Chromium (x590_certificate.cc)
// Do not allow wildcards for public/ICANN registry controlled domains -
// that is, prevent *.com or *.co.uk as valid presented names, but do not
// prevent *.appspot.com (a private registry controlled domain).
// In addition, unknown top-level domains (such as 'intranet' domains or
// new TLDs/gTLDs not yet added to the registry controlled domain dataset)
// are also implicitly prevented.
// Because |reference_domain| must contain at least one name component that
// is not registry controlled, this ensures that all reference domains
// contain at least three domain components when using wildcards.
size_t registry_length =
registry_controlled_domains::GetRegistryLength(
reference_name,
registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
2. Mozilla (certdb.c)
/* New approach conforms to RFC 6125. */
char *wildcard = PORT_Strchr(cn, '*');
char *firstcndot = PORT_Strchr(cn, '.');
char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
char *firsthndot = PORT_Strchr(hn, '.');
/* For a cn pattern to be considered valid, the wildcard character...
* - may occur only in a DNS name with at least 3 components, and
* - may occur only as last character in the first component, and
* - may be preceded by additional characters, and
* - must not be preceded by an IDNA ACE prefix (xn--)
*/
if (wildcard && secondcndot && secondcndot[1] && firsthndot
&& firstcndot - wildcard == 1 /* wildcard is last char in first
component */
&& secondcndot - firstcndot > 1 /* second component is non-empty */
&& PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
&& !PORT_Strncasecmp(cn, hn, wildcard - cn)
&& !PORT_Strcasecmp(firstcndot, firsthndot)
/* If hn starts with xn--, then cn must start with wildcard */
&& (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
/* valid wildcard pattern match */
return SECSuccess;
}
--mancha
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Overly permissive hostname matching,
mancha <=