Wildcards on cert host checking

Gary E. Miller gem at rellim.com
Wed Feb 13 23:05:56 UTC 2019 

Yo Hal!

On Wed, 13 Feb 2019 14:52:35 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> Gary said:
> >> Amy reason to allow or prohibit them?  
> > Do you mean the option to reject certs where the cert name
> > is: *.example.com?  
> 
> > Do you mean for client or server cert checking?   
> 
> I'm interested in the case where the client is checking the cert from
> the server.

Well, in that case, a MUST.  Many large server farms are too lazy to
get individual certs for the individual hosts.  They come and go too
quickly to be micro-managed.  That just get a wildcard cert.

> OpenSSL doesn't default to requiring a cert or checking it.  You have
> to check it explicitly, and if you want to verify that the cert came
> from the right place you have to give OpenSSL a hostname to check.
> That same area of the API has an option to disable wildcards.

So, a simple switch.  If someone can afford a wildcard cert, you
can pretty much bet it is legit.

Firefox accidently broke wildcard certs a while back, and that was
not pretty.  Also, RFC2818 pretty much requies it:

    "Matching is performed using the matching rules specified by
    [RFC2459]. If more than one identity of a given type is present
    in the certificate (e.g., more than one dNSName name, a match in
    any one of the set is considered acceptable.) Names may contain
    the wildcard character * which is considered to match any single
    domain name component or component fragment. E.g., *.a.com matches
    foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not
    bar.com."



RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190213/f41cd208/attachment.bin>

More information about the devel mailing list