aboutsummaryrefslogtreecommitdiff
path: root/docs/CONTRIBUTE
diff options
context:
space:
mode:
authorTatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>2012-04-01 21:58:17 +0900
committerDaniel Stenberg <daniel@haxx.se>2012-04-01 20:10:37 +0200
commitebf315e6f399ec534dbce4741d0463c28ae858e3 (patch)
tree5287724d9f5dc168028e7194a27031e4129e5af8 /docs/CONTRIBUTE
parentc44d45db86b880df5facd6b560491e03530f876e (diff)
OpenSSL: Made cert hostname check conform to RFC 6125
This change replaces RFC 2818 based hostname check in OpenSSL build with RFC 6125 [1] based one. The hostname check in RFC 2818 is ambiguous and each project implements it in the their own way and they are slightly different. I check curl, gnutls, Firefox and Chrome and they are all different. I don't think there is a bug in current implementation of hostname check. But it is not as strict as the modern browsers do. Currently, curl allows multiple wildcard character '*' and it matches '.'. (as described in the comment in ssluse.c). Firefox implementation is also based on RFC 2818 but it only allows at most one wildcard character and it must be in the left-most label in the pattern and the wildcard must not be followed by any character in the label.[2] Chromium implementation is based on RFC 6125 as my patch does. Firefox and Chromium both require wildcard in the left-most label in the presented identifier. This patch is more strict than the current implementation, so there may be some cases where old curl works but new one does not. But at the same time I think it is good practice to follow the modern browsers do and follow the newer RFC. [1] http://tools.ietf.org/html/rfc6125#section-6.4.3 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=159483
Diffstat (limited to 'docs/CONTRIBUTE')
0 files changed, 0 insertions, 0 deletions