6313 – HTTPS certificates: hostname matching is too strict

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 6313 - HTTPS certificates: hostname matching is too strict

Summary: HTTPS certificates: hostname matching is too strict

Status:	RESOLVED FIXED

Alias:	None

Product:	mobileOK Basic checker
Classification:	Unclassified
Component:	Java Library (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Target Milestone:	---
Assignee:	fd
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-12-16 13:11 UTC by fd
Modified:	2008-12-16 14:19 UTC (History)
CC List:	0 users

See Also:

Attachments

Description fd 2008-12-16 13:11:53 UTC

Certificates typically come up with:
 1. a list of host names that the certificate applies to
 2. the possibility to define hostnames such as *.example.com

The current implementation only checks the first name of the certificate and does not handle wild chars

Comment 1 fd 2008-12-16 14:19:02 UTC

I based the code on the not-yet-commons-ssl package from Julius Davies:
 http://juliusdavies.ca/commons-ssl/index.html

There does not seem to be "one" way to verify the hostname, different browsers may use slightly different rules. I used the method that seems to be the most vastly used:
 - the hostname must match the first CN in the certificate or any of the subject-alts fields.
 - a wildcard can occur in any of these names
 - a wildcard matches all subdomains (*.example.com matches a.b.example.com)