Skip to content

Wildcard certs should only validate one level of sub domain #14249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 19, 2023
Merged

Wildcard certs should only validate one level of sub domain #14249

merged 4 commits into from
Jan 19, 2023

Conversation

@yamashitax
Copy link
Contributor

@yamashitax yamashitax commented Jan 9, 2023
edited
Loading

Closes #14177

The following testcase was included in the RFC spec, but not explicitly mentioned in the issue. I went ahead and implemented it.

f*.com matches foo.com but not bar.com

Do we want to expand this to cases like zig*ng.org matching ziglang.org? I could not find any reference to it in the spec, but I imagine the above quote implying that zig*ng.org would need to pass as well.

@mitchellh
Copy link
Contributor

mitchellh commented Jan 9, 2023
edited
Loading

Note that I believe partial wildcards (a*, *b, or a*b) are no longer supported by any major browser and is marked as an optional feature by the RFC. It has been many years since I looked very closely at TLS at the spec level (the last time was working on Vault’s TLS backend like… more than 5 years ago), but I remember this is fine to just not support if you want.

I’m not making any judgement on this either way, just stating some information that may be helpful.

https://datatracker.ietf.org/doc/html/rfc6125.html#section-6.4.3 (6.4.3)

@yamashitax
Copy link
Contributor Author

yamashitax commented Jan 9, 2023
edited
Loading

Note that I believe partial wildcards (a*, b, or ab) are no longer supported by any major browser and is marked as an optional feature by the RFC. It has been many years since I looked very closely at TLS at the spec level (the last time was working on Vault’s TLS backend like… more than 5 years ago), but I remember this is fine to just not support if you want.

I’m not making any judgement on this either way, just stating some information that may be helpful.

https://datatracker.ietf.org/doc/html/rfc6125.html#section-6.4.3 (6.4.3)

Thanks for the info!

I'll wait for more feedback before making any adjustments. Your point does seem valid.

@andrewrk
Copy link
Member

andrewrk commented Jan 17, 2023

Thanks for this!

I'd like to follow the lead set by the major browsers. I agree with @mitchellh's interpretation of the spec, that partial wildcards are not required, and in fact appear to be discouraged.

Given that

  1. we can get away with it (major browsers make the same decision)
  2. the spec agrees, and
  3. it's fundamentally simpler

I think it's clear that the best path forward for Zig is to not look for partial wildcards.

@yamashitax
Copy link
Contributor Author

yamashitax commented Jan 19, 2023

Thanks for this!

I'd like to follow the lead set by the major browsers. I agree with @mitchellh's interpretation of the spec, that partial wildcards are not required, and in fact appear to be discouraged.

Given that

  1. we can get away with it (major browsers make the same decision)
  2. the spec agrees, and
  3. it's fundamentally simpler

I think it's clear that the best path forward for Zig is to not look for partial wildcards.

@andrewrk Thanks for the clarification, I've gone ahead and removed the fragment component implementation.

@Vexu Vexu enabled auto-merge (squash) January 19, 2023 13:30
@Vexu Vexu merged commit 6c98c8d into ziglang:master Jan 19, 2023
@yamashitax yamashitax deleted the wildcard-certs-should-only-validate-one-level-of-sub-domain branch January 19, 2023 23:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

std.crypto.Certificate: wildcard certs should only validate one level of sub-domain

4 participants

@yamashitax @mitchellh @andrewrk @Vexu