Hi OpenSSL Devs, I have this bug fix for a broken wildcard matching on punycode domain in OpenSSL. Specifically, the current implementation actually can't match "www.xn--foobar.com" against a certificate using SAN "*.xn--foobar.com". I filed a issue on github too. https://github.com/openssl/openssl/issues/419
This patch fixes the problem and also introduces a good check/reject on invalid domain names that starts with '-'. The wildcard matching algorithm also needs some improvement, but that is out of the scope of this bug fix. The patch can be applied by "patch -p1 < puny-code-wildcard-match.patch". My build system is Ubuntu 14.04, the version of OpenSSL targeted is the master branch on github. A separate fix for branch OpenSSL_1_0_2-stable is attached as well. The reason we need that separate patch is the test file paths in master and v1.0.2-stable deviated. Any feedback is appreciated. Best, Zi
puny-code-wildcard-match.patch
Description: Binary data
puny-code-wildcard-match-v102.patch
Description: Binary data
_______________________________________________ openssl-bugs-mod mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
