[Bug 573256] Re: SSL hostname matching does not allow subdomain matching
Rhonda D'Vine
573256 at bugs.launchpad.net
Thu Nov 22 14:26:01 UTC 2018
Erm, AIUI a wildcard doesn't cover further sub domains in SSL spec. It's
exactly the same behavior how web browsers handle this and is
consistent. If you have a convincing reason why you believe this has to
work (like, pointing at the specifications) then this has a chance to
get covered - otherwise I'd say it works as intended. A wildcard doesn't
cover subdomains.
** Changed in: irssi (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to irssi in Ubuntu.
https://bugs.launchpad.net/bugs/573256
Title:
SSL hostname matching does not allow subdomain matching
Status in irssi package in Ubuntu:
Invalid
Bug description:
Binary package hint: irssi
The wildcard implementation in irssi only allows a single hostname
depth for "*", so *.freenode.net does not match chat.us.freenode.net.
As seen in match_hostname() from src/core/network-openssl.c:
...
} else if (cert_hostname[0] == '*' && cert_hostname[1] == '.' && cert_hostname[2] != 0) { /* wildcard match */
/* The initial '*' matches exactly one hostname component */
hostname_left = strchr(hostname, '.');
if (hostname_left != NULL && ! strcasecmp(hostname_left + 1, cert_hostname + 2)) {
return TRUE;
}
}
return FALSE;
}
20:20 < kees> 19:34 -!- Irssi: warning None of the Subject Alt Names in the certificate match hostname 'chat.us.freenode.net'
20:20 < kees> 19:34 [freenode] -!- Irssi: Connection lost to chat.us.freenode.net
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/irssi/+bug/573256/+subscriptions
More information about the foundations-bugs
mailing list