[Patch] Non-permissive subjectAltName wildcard

Andreas Metzler ametzler at downhill.at.eu.org
Sun May 4 14:00:23 CEST 2008


this http://bugs.debian.org/479174 reported by Jean-Philippe Garcia

On 2008-05-03 Jean-Philippe Garcia Ballester <giga at le-pec.org> wrote:
> It seems too me that the subjectAltName wildcard matching has strong 
> constraints.

> First, it allows only one wildcard. Since a wildcard can only match
> a single domain component, multiple wildcards are useful (e.g.,
> *.*.example.org). I did not see in the rfc 2818 such restriction.

> Second, it only allows the wildcard to be at the beginning of the
> hostname.  Since the rfc 2818 gives “f*.com” as an example, I
> believe this is a false assert.

> Third, it only allows the wildcard to be followed by a ‘.’. This is
> not clearly stated in the rfc, but I believe it is reasonnable to
> assume that if “f*.com” is allowed, then “f*o.com” should be allowed
> as well.

> The attached patch fixes all these issues and add some tests.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls26-2.2.3~rc_subject_alt_name_permissive_wildcard.patch
Type: text/x-diff
Size: 13307 bytes
Desc: not available
URL: </pipermail/attachments/20080504/2cda47bd/attachment.patch>

More information about the Gnutls-devel mailing list