On 09/06/2016 07:29 AM, Amos Jeffries wrote:
On 25/08/2016 3:31 a.m., Christos Tsantilas wrote:
When comparing the requested domain name with a certificate Common Name,
Squid expanded wildcard to cover more than one domain name label (a.k.a
component), violating RFC 2818 requirement[1]. For example, Squid
thought that wrong.host.example.com matched a *.example.com CN.
[1] "the wildcard character * ... is considered to match any single
domain name component or component fragment. E.g., *.a.com matches
foo.a.com but not bar.foo.a.com".
In other contexts (e.g., ACLs), wildcards expand to all components.
matchDomainName() now accepts a mdnRejectSubsubDomains flag that selects
the right behavior for CN match validation.
The old boolean honorWildcards parameter replaced with a flag, for
clarity and consistency sake.
This patch also handles the cases where the host name consists only from
dots (eg malformed Host header or SNI info). The old code has undefined
behaviour in these cases. Moreover it handles the case a certificate
contain zero length string as CN or alternate name.
This is a Measurement Factory project.
in matchDomainName you removed the comment:
"
* This is a match only if the first domain character
* is a leading '.'.
"
That comment is still true. The squid.conf domain still needs to begin
with a '.' for the match to return true from that if-statement.
What you are changing is that other flag conditions also apply.
OK this comment was not removed.
Other than that +1. Please apply ASAP.
Applied to trunk as r14821.
Amos
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
