You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Oleg Kalnichevski <ol...@apache.org> on 2014/09/06 17:00:35 UTC

Re: CVE-2014-3577 postmortem

On Mon, 2014-08-25 at 12:53 +0200, Dirk-Willem van Gulik wrote:
> > Op 22 aug. 2014, om 18:31 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:

...

> >> Now *all* that is allowed are ‚*’ — and as far as I know - only in string (and not IPv4/IPv6) based entries.
> >> 
> >> So perhaps it is an option to compare things from the TLD down with a very very simple loop.
> >> 
> >> 	if (starts with a star) then
> >> 		@a = array of FQDN split on ‚.'
> >> 		@b = array of FQDN split on ‚.’
> >> 
> >> 		if not right lenghts - bail
> >> 		working from the topmost side working to last but one
> >> 			bail if not the same.
> >> 		check if we have left just one entry on a and a wildcard on b.
> >> 
> >> i.e. avoid wildcards completely.
> > 
> > Please correct me if I am wrong but after rereading relevant RFCs I was
> > under impression that complex wild card expressions in subjectAltName
> > like 
> > 
> > a*b*c*d.mydomain.com <http://d.mydomain.com/>
> > 
> > were perfectly legal. This was the primary reason why I felt the use of
> > regex matching was beneficial. Should we revert to supporting simple
> > '*', 'blah*' expressions only?
> 
> Not sure - doing more research after reading the RFC’s - they are much more strict about i18n domains; and I am not sure if I understand all the implications.
> 
> Dw.

Hi Dirk-Willem

After having re-read RFC 2818 section 3.1 (Server Identity) I realized I
was most likely wrong

"...Names may contain the wildcard character * which is considered to
match any single domain name component or component fragment..."

Based on this statement I presume only singular wildcard is legal. 

I re-wrote hostname verification logic one more time completely doing
away with regex matching per your recommendation in favor of simple
suffix / prefix matching based on the above assumption. Also, the
default HostnameVerifier implementation can now make use of public
suffix list to ensure that the server identity obtained from the
certificate is outside of the public domain space.

Please let us know what you think.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org