Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate name validation #75

Merged
merged 2 commits into from
Oct 2, 2016
Merged

Certificate name validation #75

merged 2 commits into from
Oct 2, 2016

Conversation

ocheron
Copy link
Contributor

@ocheron ocheron commented Sep 18, 2016
edited by vincenthz
Loading

This request changes domain name matching in x509-validation to get closer to other implementations and RFCs :

  • domain name matching is now case-insensitive
  • a wildcard in the certificate domain name matches only a single domain component (see RFC 2818: Names may contain the wildcard character '*' which is considered to match any single domain name component or component fragment.)

Case conversion is performed directly in splitDot, and the function call is now moved into matchDomain so that the original name before conversion can be returned inside InvalidName.

A wildcard is supported only for the left-most component just like before. I didn’t consider extending this or supporting component fragments like f*o.example.com because this is more complex and probably never used in practice (discussed somehow in RFC 6125 §7.2).

@ocheron
More compliance with RFCs 2459 and 2818:
2a8eccb 
* a wildcard matches only one level of subdomains

* hostname matching is now case-insensitive

Fixes snoyberg/http-client#212.
@ocheron
Align comments and what is actually implemented
263a80a
@ocheron ocheron mentioned this pull request Sep 18, 2016
Merged
@ocheron
Copy link
Contributor Author

ocheron commented Sep 30, 2016

Related to haskell-tls/hs-tls#163.

@vincenthz vincenthz merged commit af9c240 into haskell-tls:master Oct 2, 2016
@vincenthz
Copy link
Collaborator

Thanks. looking good, although the general validation sorely lack automated testing

This was referenced Oct 2, 2016
Closed
Closed
oherrala added a commit to ouspg/trytls that referenced this pull request Oct 2, 2016
@oherrala
Update Haskell stub to LTS-7.2 and latest version of x509 package
990c472 
Two good things merged into x509 package worth mentioning:

 * Certificate bundle reading was merged from pull request
   haskell-tls/hs-certificate#71

 * Certificate name validation was merged from pull request
   haskell-tls/hs-certificate#75
@oherrala oherrala mentioned this pull request Oct 2, 2016
Merged
@ocheron
Copy link
Contributor Author

ocheron commented Oct 3, 2016

OK, I'll see if I can add a test suite to x509-validation to test expected validation results.

@ocheron ocheron deleted the hostname-matching branch October 4, 2016 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ocheron @vincenthz