Wildcard matching on punycode domain is broken #419
Comments
|
I create a patch in #420 |
|
Please see #420, this isn't a pull request; closing. |
|
I think this is an real issue with OpenSSL library. I just pointed it out in more details in the code. Is it being planed to address it? It seems a little premature to just close it. |
|
I think the idea is to just use #420 to track this issue, so there's no need to have two reports open. |
|
👍 Thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trying to match www.xn--foobar.com with a certificate using SAN "*.xn--foobar.com" will result false.
https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_utl.c#L839
This line basically denies double hypen '--' from appearing in the wildcard domain name.
And https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_utl.c#L831
this line basically sets a state LABEL_IDNA but the state never gets checked.
Further references:
https://github.com/briansmith/mozillapkix/blob/687015fa069d692afaf1868abdcc756b057e748d/test/gtest/pkixnames_tests.cpp#L259
https://tools.ietf.org/html/rfc6125 section 7.2
The text was updated successfully, but these errors were encountered: