[Git][NTPsec/ntpsec][master] Relax restrictions on wildcard certificates to permit them in left-most label
Richard Laager (@rlaager)
gitlab at mg.gitlab.com
Tue May 10 19:01:52 UTC 2022
Richard Laager pushed to branch master at NTPsec / ntpsec
Commits:
fc8ad855 by Matt Selsky at 2022-05-10T18:55:22+00:00
Relax restrictions on wildcard certificates to permit them in left-most label
Partial wildcard certificates are still prohibited
NTPsec/ntpsec#729
- - - - -
1 changed file:
- ntpd/nts_client.c
Changes:
=====================================
ntpd/nts_client.c
=====================================
@@ -401,10 +401,11 @@ void set_hostname(SSL *ssl, const char *hostname) {
}
/* https://wiki.openssl.org/index.php/Hostname_validation
- * Wildcards are deprecated by RFC 6125
- * https://datatracker.ietf.org/doc/html/rfc6125#section-7.2
+ * draft-ietf-uta-rfc6125bis section 3 relaxes the restrictions around the use
+ * of wildcards to make it clear that they're permitted unless specifically
+ * prohibited in an RFC
*/
- SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_WILDCARDS);
+ SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
SSL_set1_host(ssl, host);
msyslog(LOG_DEBUG, "NTSc: set cert host: %s", host);
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/fc8ad855e755d4252849d7e5412f480f38775a47
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/fc8ad855e755d4252849d7e5412f480f38775a47
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20220510/e1e0580c/attachment.htm>
More information about the vc
mailing list