New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wildcard matching on punycode domain is broken #419
Comments
I create a patch in #420 |
Please see #420, this isn't a pull request; closing. |
I think this is an real issue with OpenSSL library. I just pointed it out in more details in the code. Is it being planed to address it? It seems a little premature to just close it. |
I think the idea is to just use #420 to track this issue, so there's no need to have two reports open. |
👍 Thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trying to match www.xn--foobar.com with a certificate using SAN "*.xn--foobar.com" will result false.
https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_utl.c#L839
This line basically denies double hypen '--' from appearing in the wildcard domain name.
And https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_utl.c#L831
this line basically sets a state LABEL_IDNA but the state never gets checked.
Further references:
https://github.com/briansmith/mozillapkix/blob/687015fa069d692afaf1868abdcc756b057e748d/test/gtest/pkixnames_tests.cpp#L259
https://tools.ietf.org/html/rfc6125 section 7.2
The text was updated successfully, but these errors were encountered: