Skip to content

Stricter hostname verification #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Stricter hostname verification #10

wants to merge 1 commit into from

Conversation

tarcieri
Copy link
Collaborator

This change implements hostname verification more in-line with RFC 6125.

Additionally it eliminates the use of regexes when verifying hostnames, opting for simple string comparisons instead.

@tarcieri
Copy link
Collaborator Author

The test_post_connection_check(OpenSSL::TestSSL) test is failing because the tests try to match "*.localdomain" and this hostname verifier has been explicitly written to disallow wildcards on TLDs.

Disallowing wildcards on TLDs is recommended by ICANN:

https://www.icann.org/groups/ssac/documents/sac-015-en

csstaub
csstaub reviewed Mar 28, 2015
View reviewed changes
lib/openssl/ssl.rb
@@ -168,6 +166,27 @@ def verify_certificate_identity(cert, hostname)
end
module_function :verify_certificate_identity

def verify_hostname(san, hostname)
san_parts = san.split(".")
return san == hostname if san_parts.size < 3
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add a comment here to indicate the reasoning for this.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@zzak
Copy link
Member

zzak commented Mar 28, 2015

I'd prefer we nodoc these functions (for now) to avoid promoting them as public api

@tarcieri
Copy link
Collaborator Author

@zzak my last commit makes the existing test suite pass (sans the unrelated memory leak error)

@tarcieri
Copy link
Collaborator Author

I'd call this finished for a first pass

@zzak
Copy link
Member

zzak commented Mar 30, 2015

Can you squash your commits please?

@tarcieri tarcieri force-pushed the stricter-hostname-verification branch from 4188c09 to ea9a6f8 Compare March 30, 2015 00:29
@tarcieri
Copy link
Collaborator Author

Squashed

stouset
stouset reviewed Mar 30, 2015
View reviewed changes
lib/openssl/ssl.rb
# U-label of an internationalized domain name.
return false if !parts[0].empty? && domain_component.start_with?("xn--")

domain_component.start_with?(parts[0]) && domain_component.end_with?(parts[1])
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't strict enough.

>> san_component    = "abc*bcd"
>> domain_component = "abcd"
>> parts            = san_component.split("*", -1)
>> domain_component.start_with?(parts[0]) && domain_component.end_with?(parts[1])
=> true

@stouset
Copy link

stouset commented Mar 30, 2015

Sans the issue above, LGTM. More tests, though?

@tarcieri tarcieri force-pushed the stricter-hostname-verification branch from ea9a6f8 to a67b7ef Compare March 30, 2015 16:53
@tarcieri tarcieri force-pushed the stricter-hostname-verification branch from a67b7ef to 75c94a1 Compare March 30, 2015 17:00
@tarcieri
Copy link
Collaborator Author

Will reopen with the in-repo branch

@tarcieri tarcieri closed this Mar 30, 2015
@tarcieri
Copy link
Collaborator Author

Reopened as #12

@tarcieri tarcieri mentioned this pull request Dec 17, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tarcieri @zzak @stouset @csstaub