| Summary: | wildcard ssl certificates incorrectly rejected for top level domain | ||
|---|---|---|---|
| Product: | [Unmaintained] kio | Reporter: | Adam Wiggins <hiro> |
| Component: | kssl | Assignee: | George Staikos <staikos> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | tuju |
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Fedora RPMs | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
|
Description
Adam Wiggins
2005-05-30 03:24:01 UTC
I don't agree. "*." doesn't match "" Not in the strictest sense, no, but that is certainly the way it is intended. More importantly, not allowing it to match requires the purchase of an extra SSL certificate. So, by being pedantic about it, nothing is gained- BUT everyone who runs a domain like that will be required to pay an extra $100+ per year to purchase and maintain and extra cert. It would be quite ironic if software from the for-profit companies Microsoft and Apple (both of whose browsers match *. to no subdomain, just as I suggest) allowed you avoid the purchase of the extra certificate, but free software demanded that you spend the extra money. SVN commit 480071 by staikos:
*.example.com matches example.com apparently
BUG: 106476
M +8 -1 ksslpeerinfo.cc
--- branches/KDE/3.5/kdelibs/kio/kssl/ksslpeerinfo.cc #480070:480071
@@ -122,7 +122,7 @@
// after the wildcard (*).
QStringList parts = QStringList::split('.', cn, false);
- while(parts.count() > 2)
+ while (parts.count() > 2)
parts.remove(parts.begin());
if (parts.count() != 2) {
@@ -141,6 +141,13 @@
QStringList::split('.', d->peerHost, false).count())
return true;
+ // *.example.com must match example.com also. Sigh..
+ if (cn.startsWith("*.")) {
+ QString chopped = cn.mid(2);
+ if (chopped == d->peerHost) {
+ return true;
+ }
+ }
return false;
}
|