On Tue, Apr 01, 2014, Viktor Dukhovni wrote: > On Tue, Apr 01, 2014 at 05:03:32PM -0400, Salz, Rich wrote: > > > > I, for one, would not want OpenSSL to employ such a complex > > > and fragile mechanism. > > > > Yeah, it's kinda gross and clunky. On the other hand, it's really > > all we have right now, and rejecting a cert with a SAN name of > > "*.com" is a good security thing to do. Perhaps a configure option, > > or a callback that could implement it? > > Note that the implementation in master (some day 1.1.0) already > rejects *.com, what it fails to reject is *.co.uk (that's why > we're still mulling over this thread). >
It's also in 1.0.2-beta. > An optional callback perhaps to validate the suffix of a wildcard > cert, but complexity has costs, and I think the onus is on the > trusted CA ( that wants to remain trusted) to not issue such > certificates. > > I am far from sure the callback is worth the trouble. > The initial aim of X509_check_host was to support minimal host name matching which until then wasn't in OpenSSL at all. It wasn't intended to cover every case but to be a lot better than nothing. The wildcard matching was contributed as an addition. If it's felt it is terminally broken it can be either disabled by default or reverted altogether. Or fixed if someone can come up with a patch... Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
