Tatsuhiro Tsujikawa | 1 Apr 15:04 2012
Picon

[PATCH] TLS hostname check conforming to RFC 6125

This patch replaces RFC 2818 based hostname check in OpenSSL build
with RFC 6125 [1] based one.

The hostname check in RFC 2818 is ambiguous and each project
implements it in the their own way and
they are slightly different. I check curl, gnutls, Firefox and Chrome
and they are all different.

I don't think there is a bug in current implementation of hostname check.
But it is not as strict as the modern browsers do.
Currently, curl allows multiple wildcard character '*' and it matches
'.'. (as described in the comment
in ssluse.c).
Firefox implementation is also based on RFC 2818 but it only allows at
most one wildcard character
and it must be in the left-most label in the pattern and the wildcard
must not be followed by any character in the label.[2]
Chromium implementation is based on RFC 6125 as my patch does.
Firefox and Chromium both require wildcard in the left-most label in
the presented identifier.

This patch is more strict than the current implementation, so there
may be some cases where old curl works
but new one does not. But at the same time I think it is good practice
to follow the modern browsers do and
follow the newer RFC.

[1] http://tools.ietf.org/html/rfc6125#section-6.4.3
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=159483

(Continue reading)

Daniel Stenberg | 1 Apr 15:29 2012
Picon

Re: [PATCH] TLS hostname check conforming to RFC 6125

On Sun, 1 Apr 2012, Tatsuhiro Tsujikawa wrote:

> This patch replaces RFC 2818 based hostname check in OpenSSL build with RFC 
> 6125 [1] based one.

Thanks a lot! A little nit though: strcasecmp() cannot be used. It is A) not 
portable enough and B) not good enough.

A - due to things like Windows
B - due to things like POSIX and Turkish:
     http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/

Curl_raw_equal() is the libcurl internal replacement for strcasecmp() but it 
has a slightly different return code. Can you update your patch to use this, 
please?

--

-- 

  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Tatsuhiro Tsujikawa | 1 Apr 15:47 2012
Picon

Re: [PATCH] TLS hostname check conforming to RFC 6125

2012年4月1日22:29 Daniel Stenberg <daniel <at> haxx.se>:
> On Sun, 1 Apr 2012, Tatsuhiro Tsujikawa wrote:
>
>> This patch replaces RFC 2818 based hostname check in OpenSSL build with
>> RFC 6125 [1] based one.
>
>
> Thanks a lot! A little nit though: strcasecmp() cannot be used. It is A) not
> portable enough and B) not good enough.
>
> A - due to things like Windows
> B - due to things like POSIX and Turkish:
>    http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/
>
> Curl_raw_equal() is the libcurl internal replacement for strcasecmp() but it
> has a slightly different return code. Can you update your patch to use this,
> please?
>

Sure. Updated patch attached.

Best regards,

Tatsuhiro Tsujikawa
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
(Continue reading)

Daniel Stenberg | 1 Apr 20:12 2012
Picon

Re: [PATCH] TLS hostname check conforming to RFC 6125

On Sun, 1 Apr 2012, Tatsuhiro Tsujikawa wrote:

> Sure. Updated patch attached.

Thanks again. Merged and pushed!

--

-- 

  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html


Gmane