Add support for wildcard hostname checks#10646
Open
rado17 wants to merge 1 commit intoMbed-TLS:developmentfrom
Open
Add support for wildcard hostname checks#10646rado17 wants to merge 1 commit intoMbed-TLS:developmentfrom
rado17 wants to merge 1 commit intoMbed-TLS:developmentfrom
Conversation
Support configuration of wildcard hostname against which common name of certificates can be verified. Signed-off-by: Ravi Dondaputi <ravi.dondaputi@nordicsemi.no>
| size_t i; | ||
| size_t cn_idx = 0, cn_len = strlen(cn); | ||
|
|
||
| /* Wildcard common name */ |
Contributor
There was a problem hiding this comment.
This patch is incomplete — it lacks documentation and tests.
Maybe the documentation would clear it up, but I don't understand what this is supposed to do. The practical effect is that mbedtls_x509_crt_verify() and friends would accept a cn of the form *.SOMEDOMAIN, and it would mean “accept a certificate as valid if it's for any host within SOMEDOMAIN”. It would also have a similar effect on mbedtls_ssl_set_hostname().
Why? What's the use case for accepting any host within a domain with the same certificate? (Usually the reason to have multiple hosts within a domain is to have separation between subentities of an organization!) What standard would this follow?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Support configuration of wildcard hostname against which common name of certificates can be verified.
Description
Validate wildcard hostname against certificate CN. Perform domain suffix matching for certificates. This allows a configured CN (eg., "[any].example.com") to match any subdomain like "sub.example.com", "api.example.com", etc. The function extracts the domain portion from the provided hostname (everything after the first dot) and compares it case-insensitively against the CN suffix present in the certificate.
PR checklist
Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.