Case-insensitive identity verification #463
Comments
This was referenced May 14, 2024
|
This is a great catch, thanks. Are you interested in backporting your fix from swift-certificates? We're not cutting over to it immediately so it'd be nice to fix it in both places. |
|
Yes. Here's the PR #464. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
RFC 5280 states that while uppercase and lowercase letters are allowed in domain names, no significance is attached to the case, meaning the case should be ignored when comparing domain names.
Most certificates don't have any uppercase letter in their domain name. But some do.
SwiftNIO SSL converts the server hostname to lowercase but doesn't convert the certificate's CN or SAN. Therefore, the domain name comparison always fails when the certificate has uppercase letters in its domain name.
Steps to reproduce
Copy
cert.pemandkey.pemto the current directory.Run the server.
Try to connect to the server.
Expected result
A parsing error
invalid constant stringis thrown (the server is not a valid HTTP server).Actual result
NIOSSLExtraError.failedToValidateHostname: Couldn't find localhost in certificate from peeris thrown.The text was updated successfully, but these errors were encountered: