[Patch] Non-permissive subjectAltName wildcard
nmav at gnutls.org
Sun May 4 15:48:40 CEST 2008
Andreas Metzler wrote:
> this http://bugs.debian.org/479174 reported by Jean-Philippe Garcia
> On 2008-05-03 Jean-Philippe Garcia Ballester <giga at le-pec.org> wrote:
>> It seems too me that the subjectAltName wildcard matching has strong
>> First, it allows only one wildcard. Since a wildcard can only match
>> a single domain component, multiple wildcards are useful (e.g.,
>> *.*.example.org). I did not see in the rfc 2818 such restriction.
Thank you for the patch. I need some clarifications before including it
though. Having such as permissive wildcard is quite dangerous. Why would
one specify *.*.example.org instead of the much simpler *.example.org?
>> Second, it only allows the wildcard to be at the beginning of the
>> hostname. Since the rfc 2818 gives “f*.com” as an example, I
>> believe this is a false assert.
f*.com is not a good example :) I don't think that such a wildcard
certificate has a real world usage, and if any CA signs it would be at
error. Of course this applies to *.com as well...
Probably your point is for wildcards such as test*.gnutls.org?
>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>> not clearly stated in the rfc, but I believe it is reasonnable to
>> assume that if “f*.com” is allowed, then “f*o.com” should be allowed
>> as well.
What is your use case that does not work by the current simple wildcard?
More information about the Gnutls-devel