SSL hostname matching does not allow subdomain matching
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
irssi (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: irssi
The wildcard implementation in irssi only allows a single hostname depth for "*", so *.freenode.net does not match chat.us.
...
} else if (cert_hostname[0] == '*' && cert_hostname[1] == '.' && cert_hostname[2] != 0) { /* wildcard match */
/* The initial '*' matches exactly one hostname component */
if (hostname_left != NULL && ! strcasecmp(
return TRUE;
}
}
return FALSE;
}
20:20 < kees> 19:34 -!- Irssi: warning None of the Subject Alt Names in the certificate match hostname 'chat.us.
20:20 < kees> 19:34 [freenode] -!- Irssi: Connection lost to chat.us.
Changed in irssi (Ubuntu): | |
status: | Expired → Confirmed |
status: | Confirmed → New |
AIUI, this is the desired behavior. From rfc2818 regarding HTTP Over TLS (http:// www.faqs. org/rfcs/ rfc2818. txt):
3.1. Server Identity
...Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
Also, rfc2595 regarding Using TLS with IMAP, POP3 and ACAP is slightly more ambiguous, but implies the same behavior (http:// www.faqs. org/rfcs/ rfc2595. html):
2.4. Server Identity Check
...
- A "*" wildcard character MAY be used as the left-most name
component in the certificate. For example, *.example.com would
match a.example.com, foo.example.com, etc. but would not match
example.com.
It is also known that while some browser implementations do honor hostname. subdomain. domain, they are out of spec. I don't see any RFCs regarding IRC wrt SSL, so following other implementations seems most correct.
Simply put, seems that *.us.freenode.com needs to have its own wildcard certificate to properly use SSL.