[jira] [Work logged] (TS-4480) Wildcards in certificates should only match one level

[ASF GitHub Bot (JIRA)]

     [ 
https://issues.apache.org/jira/browse/TS-4480?focusedWorklogId=28945&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-28945
 ]

ASF GitHub Bot logged work on TS-4480:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 13/Sep/16 15:15
            Start Date: 13/Sep/16 15:15
    Worklog Time Spent: 10m 
      Work Description: Github user SolidWallOfCode commented on a diff in the 
pull request:

    https://github.com/apache/trafficserver/pull/992#discussion_r78580820
  
    --- Diff: iocore/net/SSLCertLookup.cc ---
    @@ -346,48 +349,30 @@ int
     SSLContextStorage::insert(const char *name, int idx)
     {
       ats_wildcard_matcher wildcard;
    -  bool inserted = false;
    +  InkHashTableValue value;
    +  char lower_case_name[TS_MAX_HOST_NAME_LEN + 1];
     
       if (wildcard.match(name)) {
    -    // We turn wildcards into the reverse DNS form, then insert them into 
the trie
    -    // so that we can do a longest match lookup.
    -    char namebuf[TS_MAX_HOST_NAME_LEN + 1];
    -    char *reversed;
    -    ats_scoped_obj<ContextRef> ref;
    -
    -    reversed = reverse_dns_name(name + 1, namebuf);
    -    if (!reversed) {
    -      Error("wildcard name '%s' is too long", name);
    -      return -1;
    +    // Strip the wildcard and store the subdomain
    +    const char *subdomain = index(name, '*');
    +    if (subdomain) {
    +      subdomain = index(subdomain, '.');
    --- End diff --
    
    Isn't it required that `subdomain[1] == '.'`?


Issue Time Tracking
-------------------

    Worklog Id:     (was: 28945)
    Time Spent: 1h 10m  (was: 1h)

> Wildcards in certificates should only match one level
> -----------------------------------------------------
>
>                 Key: TS-4480
>                 URL: https://issues.apache.org/jira/browse/TS-4480
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core, SSL
>            Reporter: Michael Sokolnicki
>            Assignee: Susan Hinrichs
>             Fix For: 7.0.0
>
>         Attachments: current_patch.diff
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> According to RFC 6125 section 6.4.3:
> {quote}
> If the wildcard character is the only character of the left-most label in the 
> presented identifier, the client SHOULD NOT compare against anything but the 
> left-most label of the reference identifier (e.g., *.example.com would match 
> foo.example.com but not bar.foo.example.com or example.com).
> {quote}
> In the current implementation, certificates are searched for in a trie, and 
> the longest match is returned, but there is no check if that match complies 
> with the above rule. This causes invalid certs to be returned and SLL errors 
> in the browser (in Firefox, we get SSL_ERROR_BAD_CERT_DOMAIN).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)