[Git][NTPsec/ntpsec][master] Relax restrictions on wildcard certificates to permit them in left-most label

Richard Laager (@rlaager) gitlab at mg.gitlab.com
Tue May 10 19:01:52 UTC 2022



Richard Laager pushed to branch master at NTPsec / ntpsec


Commits:
fc8ad855 by Matt Selsky at 2022-05-10T18:55:22+00:00
Relax restrictions on wildcard certificates to permit them in left-most label

Partial wildcard certificates are still prohibited

NTPsec/ntpsec#729

- - - - -


1 changed file:

- ntpd/nts_client.c


Changes:

=====================================
ntpd/nts_client.c
=====================================
@@ -401,10 +401,11 @@ void set_hostname(SSL *ssl, const char *hostname) {
 	}
 
 /* https://wiki.openssl.org/index.php/Hostname_validation
- * Wildcards are deprecated by RFC 6125
- * https://datatracker.ietf.org/doc/html/rfc6125#section-7.2
+ * draft-ietf-uta-rfc6125bis section 3 relaxes the restrictions around the use
+ * of wildcards to make it clear that they're permitted unless specifically
+ * prohibited in an RFC
  */
-	SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_WILDCARDS);
+	SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 	SSL_set1_host(ssl, host);
 	msyslog(LOG_DEBUG, "NTSc: set cert host: %s", host);
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/fc8ad855e755d4252849d7e5412f480f38775a47

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/fc8ad855e755d4252849d7e5412f480f38775a47
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20220510/e1e0580c/attachment.htm>


More information about the vc mailing list