Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix SNI wildcard matching #16

Open
wants to merge 1 commit into
base: stage_for_upstream/v2.8a
Choose a base branch
from

Conversation

manuelm
Copy link

@manuelm manuelm commented Aug 8, 2016

The current code is using fnmatch(3) which allows a wildcard to match
multiple DNS labels. e.g. *.domain.tld matches foo.bar.domain.tld. This
is incorrect. According to the RFC a wildcard can at most match one DNS
label (only bar.domain.tld in the example above).

For OpenSSL 1.0.2 and above we make use of X509_check_host(). For older
versions we check the left most DNS label only, which is the same Apache
currently supports.

@manuelm manuelm changed the title fix TLS wildcard matching fix SNI wildcard matching Aug 8, 2016
The current code is using fnmatch(3) which allows a wildcard to match
multiple DNS labels. e.g. *.domain.tld matches foo.bar.domain.tld. This
is incorrect. According to the RFC a wildcard can at most match one DNS
label (only bar.domain.tld in the example above).

For OpenSSL 1.0.2 and above we make use of X509_check_host(). For older
versions we check the left most DNS label only, which is the same Apache
currently supports.
@manuelm manuelm force-pushed the stage_for_upstream/v2.8a branch from 3492fe3 to 9ed3aa7 Compare August 8, 2016 11:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant