Re: [openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
On Tue, Aug 11, 2015 at 08:25:53PM +, Sekwon Choi via RT wrote: Hi Viktor and Kurt, Thanks for the quick response. I think I agree with you guys. I looked up hostname RFC again (RFC952 and 1123), not URI RFC, and indeed, '_' and '~' are not valid character to be used for hostname. So technically, what openssl is doing is right. What makes tricky is that, since there are many hostname using '_' in the wild, even libcurl seems not to check '_' or '~' for hostname's validity. I think hostname verification with those characters should be handled outside of openssl context. When processing DNS name wildcards it is appropriate to ensure that one is actually dealing with valid DNS names. If certificates contain garbage in subjectAltName components of type DNSName, then they won't be matched by X509_check_host(). Perhaps we should also check for correct hostname syntax when processing non-wildcard names (exact case-insensitive comparison with user supplied name), and may do so in the future, but I see no reason to relax the rules that ensure name validity in the wildcard case. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
Hi openssl team, I would like to report a bug as below and patch for the fix. [ Version affected ] : 1.0.2d (latest) and below (basically, all versions of openssl) [ Operating system ] : All [ Bug description ] : When we want to perform a host verification using openssl's APIs that use X509_check_host, host URL that includes specific characters such as '_' or '~' will be failing when CN from the certificate contains wildcard character. The reason is that, wildcard_match function in openssl-version/crypto/x509v3/v3_utils.c is not handling '_' and '~' while those are allowed character for URL. (patch attached separately) --- ./openssl-1.0.2d/crypto/x509v3/v3_utl.c 2015-07-09 04:57:15.0 -0700 +++ ../OpenSSL/openssl-1.0.2d/crypto/x509v3/v3_utl.c 2015-08-11 10:15:19.905814872 -0700 @@ -787,7 +787,7 @@ if (!(('0' = *p *p = '9') || ('A' = *p *p = 'Z') || ('a' = *p *p = 'z') || - *p == '-' || (allow_multi *p == '.'))) + *p == '-' || *p == '_' || *p == '~' || (allow_multi *p == '.'))) return 0; return 1; [ FYI ] : RFC 3986 (Uniform Resource Identifier (URI): Generic Syntax) https://tools.ietf.org/html/rfc3986#section-2.1 2.3. Unreserved Characters Characters that are allowed in a URI but do not have a reserved purpose are called unreserved. These include uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde. unreserved = ALPHA / DIGIT / - / . / _ / ~ Suggested fix: We propose to include '_' and '~' in wildcard_match function so that hostname including those characters can be evaluated correctly. Thanks Sekwon Choi senior software engineer Netflix --- ./openssl-1.0.2d/crypto/x509v3/v3_utl.c 2015-07-09 04:57:15.0 -0700 +++ ../OpenSSL/openssl-1.0.2d/crypto/x509v3/v3_utl.c 2015-08-11 10:15:19.905814872 -0700 @@ -787,7 +787,7 @@ if (!(('0' = *p *p = '9') || ('A' = *p *p = 'Z') || ('a' = *p *p = 'z') || - *p == '-' || (allow_multi *p == '.'))) + *p == '-' || *p == '_' || *p == '~' || (allow_multi *p == '.'))) return 0; return 1; } ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
On Tue, Aug 11, 2015 at 06:53:29PM +, Sekwon Choi via RT wrote: When we want to perform a host verification using openssl's APIs that use X509_check_host, host URL that includes specific characters such as '_' or '~' will be failing when CN from the certificate contains wildcard character. The reason is that, wildcard_match function in openssl-version/crypto/x509v3/v3_utils.c is not handling '_' and '~' while those are allowed character for URL. It's checking the hostname, not the URL. _ and ~ are not allowed in DNS and so not in a hostname. It looks to me that you're trying to validate an URL instead of a hostname. I don't know of any standart that allows you to put a URL in a certificate and it also doesn't make much sense. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
On Tue, Aug 11, 2015 at 07:22:58PM +, Kurt Roeckx via RT wrote: It looks to me that you're trying to validate an URL instead of a hostname. I don't know of any standart that allows you to put a URL in a certificate and it also doesn't make much sense. Certificates IIRC can have URI subjectAltNames, I don't recall whether we support matching these. If we did, that would certainly not be via X509_check_host(), there would have to be an X509_check_uri() interface. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
On Tue, Aug 11, 2015 at 07:29:15PM +, Viktor Dukhovni wrote: On Tue, Aug 11, 2015 at 07:22:58PM +, Kurt Roeckx via RT wrote: It looks to me that you're trying to validate an URL instead of a hostname. I don't know of any standart that allows you to put a URL in a certificate and it also doesn't make much sense. Certificates IIRC can have URI subjectAltNames, I don't recall whether we support matching these. If we did, that would certainly not be via X509_check_host(), there would have to be an X509_check_uri() interface. We don't currently support URI subjectAltNames. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
Hi Viktor and Kurt, Thanks for the quick response. I think I agree with you guys. I looked up hostname RFC again (RFC952 and 1123), not URI RFC, and indeed, '_' and '~' are not valid character to be used for hostname. So technically, what openssl is doing is right. What makes tricky is that, since there are many hostname using '_' in the wild, even libcurl seems not to check '_' or '~' for hostname's validity. I think hostname verification with those characters should be handled outside of openssl context. Thanks Sekwon On Tue, Aug 11, 2015 at 12:29 PM, openssl-dev@openssl.org via RT r...@openssl.org wrote: On Tue, Aug 11, 2015 at 07:22:58PM +, Kurt Roeckx via RT wrote: It looks to me that you're trying to validate an URL instead of a hostname. I don't know of any standart that allows you to put a URL in a certificate and it also doesn't make much sense. Certificates IIRC can have URI subjectAltNames, I don't recall whether we support matching these. If we did, that would certainly not be via X509_check_host(), there would have to be an X509_check_uri() interface. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification
Closing this ticket: works as intended, won't fix. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev