[ https://issues.apache.org/jira/browse/TS-4480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15339742#comment-15339742 ]
Susan Hinrichs commented on TS-4480: ------------------------------------ Yes, doing full and subdomain explicit hash searches sound like a good idea. That would simplify the logic considerably. We currently don't support partial wildcards, e.g. b*z.example.net. If we really need to do that, it would probably be better to do that as a separate case (off the faster path). > Wildcards in certificates should only match one level > ----------------------------------------------------- > > Key: TS-4480 > URL: https://issues.apache.org/jira/browse/TS-4480 > Project: Traffic Server > Issue Type: Bug > Components: Core, SSL > Reporter: Michael Sokolnicki > Fix For: 7.0.0 > > Attachments: current_patch.diff > > > According to RFC 6125 section 6.4.3: > {quote} > If the wildcard character is the only character of the left-most label in the > presented identifier, the client SHOULD NOT compare against anything but the > left-most label of the reference identifier (e.g., *.example.com would match > foo.example.com but not bar.foo.example.com or example.com). > {quote} > In the current implementation, certificates are searched for in a trie, and > the longest match is returned, but there is no check if that match complies > with the above rule. This causes invalid certs to be returned and SLL errors > in the browser (in Firefox, we get SSL_ERROR_BAD_CERT_DOMAIN). -- This message was sent by Atlassian JIRA (v6.3.4#6332)