[ https://issues.apache.org/jira/browse/TS-4480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15299091#comment-15299091 ]
Michael Sokolnicki commented on TS-4480: ---------------------------------------- We have implemented a quick fix by deriving from the Trie class and adding a subdomain check in the search function. This might not be the cleanest approach, but it is simple and has solved the problem for us. I can provide the patch if you want. > Wildcards in certificates should only match one level > ----------------------------------------------------- > > Key: TS-4480 > URL: https://issues.apache.org/jira/browse/TS-4480 > Project: Traffic Server > Issue Type: Bug > Components: Core, SSL > Reporter: Michael Sokolnicki > > According to RFC 6125 section 6.4.3: > {quote} > If the wildcard character is the only character of the left-most label in the > presented identifier, the client SHOULD NOT compare against anything but the > left-most label of the reference identifier (e.g., *.example.com would match > foo.example.com but not bar.foo.example.com or example.com). > {quote} > In the current implementation, certificates are searched for in a trie, and > the longest match is returned, but there is no check if that match complies > with the above rule. This causes invalid certs to be returned and SLL errors > in the browser (in Firefox, we get SSL_ERROR_BAD_CERT_DOMAIN). -- This message was sent by Atlassian JIRA (v6.3.4#6332)