Bug 106476 - wildcard ssl certificates incorrectly rejected for top level domain
Summary: wildcard ssl certificates incorrectly rejected for top level domain
Status: RESOLVED FIXED
Alias: None
Product: kio
Classification: Unclassified
Component: kssl (show other bugs)
Version: unspecified
Platform: Fedora RPMs Linux
: NOR normal (vote)
Target Milestone: ---
Assignee: George Staikos
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-30 03:24 UTC by Adam Wiggins
Modified: 2009-07-27 11:34 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Wiggins 2005-05-30 03:24:01 UTC
Version:           3.4.0 (using KDE KDE 3.4.0)
Installed from:    Fedora RPMs
OS:                Linux

A wildcard SSL certificate issued to a domain should work not only with all subdomains but on the the domain itself.  For example, *.kde.org should work not only for https://www.kde.org and https://bugs.kde.org, but also just https://kde.org.

For a live example, go here:

https://infinitydrive.net

Click "Details" when the warning pops up.
Comment 1 Thiago Macieira 2005-05-30 03:43:47 UTC
I don't agree. "*." doesn't match ""
Comment 2 Adam Wiggins 2005-05-30 11:01:35 UTC
Not in the strictest sense, no, but that is certainly the way it is intended.

More importantly, not allowing it to match requires the purchase of an extra SSL certificate.  So, by being pedantic about it, nothing is gained- BUT everyone who runs a domain like that will be required to pay an extra $100+ per year to purchase and maintain and extra cert.

It would be quite ironic if software from the for-profit companies Microsoft and Apple (both of whose browsers match *. to no subdomain, just as I suggest) allowed you avoid the purchase of the extra certificate, but free software demanded that you spend the extra money.
Comment 3 George Staikos 2005-11-13 01:40:43 UTC
SVN commit 480071 by staikos:

*.example.com matches example.com apparently
BUG: 106476


 M  +8 -1      ksslpeerinfo.cc  


--- branches/KDE/3.5/kdelibs/kio/kssl/ksslpeerinfo.cc #480070:480071
@@ -122,7 +122,7 @@
 		// after the wildcard (*).
 		QStringList parts = QStringList::split('.', cn, false);
 
-		while(parts.count() > 2)
+		while (parts.count() > 2)
 			parts.remove(parts.begin());
 
 		if (parts.count() != 2) {
@@ -141,6 +141,13 @@
 		    QStringList::split('.', d->peerHost, false).count())
 			return true;
 
+		// *.example.com must match example.com also.  Sigh..
+		if (cn.startsWith("*.")) {
+			QString chopped = cn.mid(2);
+			if (chopped == d->peerHost) {
+				return true;
+			}
+		}
 		return false;
 	}