You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2016/06/06 16:45:21 UTC
[jira] [Commented] (TS-4480) Wildcards in certificates should only
match one level
[ https://issues.apache.org/jira/browse/TS-4480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15316738#comment-15316738 ]
James Peach commented on TS-4480:
---------------------------------
I thought about this a bit, and I wonder why we even need to do a trie search here. Originally we used a trie because we wanted to do a longest match. If we are not doing a longest match, then for a name "foo.example.com", we could just do hash lookups for "foo.example.com" and "example.com". One of the original ideas about using a trie was that we keep it as the single index, but it ended up being too slow and memory intensive to use for large numbers of certificates.
> Wildcards in certificates should only match one level
> -----------------------------------------------------
>
> Key: TS-4480
> URL: https://issues.apache.org/jira/browse/TS-4480
> Project: Traffic Server
> Issue Type: Bug
> Components: Core, SSL
> Reporter: Michael Sokolnicki
> Fix For: 7.0.0
>
> Attachments: current_patch.diff
>
>
> According to RFC 6125 section 6.4.3:
> {quote}
> If the wildcard character is the only character of the left-most label in the presented identifier, the client SHOULD NOT compare against anything but the left-most label of the reference identifier (e.g., *.example.com would match foo.example.com but not bar.foo.example.com or example.com).
> {quote}
> In the current implementation, certificates are searched for in a trie, and the longest match is returned, but there is no check if that match complies with the above rule. This causes invalid certs to be returned and SLL errors in the browser (in Firefox, we get SSL_ERROR_BAD_CERT_DOMAIN).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)