[Pkg-gnutls-maint] Bug#479174: [gnutls26] Non-permissive subjectAltName wildcard

Sat May 3 12:49:47 UTC 2008

Package: gnutls26
Severity: normal
Tags: patch

--- Please enter the report below this line. ---
  It seems too me that the subjectAltName wildcard matching has strong 
constraints.
  First, it allows only one wildcard. Since a wildcard can only match a single 
domain component, multiple wildcards are useful (e.g., *.*.example.org). I 
did not see in the rfc 2818 such restriction.
  Second, it only allows the wildcard to be at the beginning of the hostname. 
Since the rfc 2818 gives “f*.com” as an example, I believe this is a false 
assert.
  Third, it only allows the wildcard to be followed by a ‘.’. This is not 
clearly stated in the rfc, but I believe it is reasonnable to assume that 
if “f*.com” is allowed, then “f*o.com” should be allowed as well.
  The attached patch fixes all these issues and add some tests.

--- System information. ---
Architecture: amd64
Kernel:       Linux 2.6.18.8-xen

Debian Release: lenny/sid
  500 unstable        ftp.fr.debian.org 

--- Package information. ---
Depends       (Version) | Installed
=======================-+-===========
                        | 


-- 
Jean-Philippe Garcia Ballester
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls26-2.2.3~rc_subject_alt_name_permissive_wildcard.patch
Type: text/x-diff
Size: 13307 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20080503/7cd6e293/attachment.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20080503/7cd6e293/attachment.pgp