Skip to content

Stricter hostname verification#10

Closed
tarcieri wants to merge 1 commit intoruby:masterfrom
tarcieri:stricter-hostname-verification
Closed

Stricter hostname verification#10
tarcieri wants to merge 1 commit intoruby:masterfrom
tarcieri:stricter-hostname-verification

Conversation

@tarcieri
Copy link
Collaborator

@tarcieri tarcieri commented Mar 27, 2015

This change implements hostname verification more in-line with RFC 6125.

Additionally it eliminates the use of regexes when verifying hostnames, opting for simple string comparisons instead.

@tarcieri
Copy link
Collaborator Author

tarcieri commented Mar 27, 2015

The test_post_connection_check(OpenSSL::TestSSL) test is failing because the tests try to match "*.localdomain" and this hostname verifier has been explicitly written to disallow wildcards on TLDs.

Disallowing wildcards on TLDs is recommended by ICANN:

https://www.icann.org/groups/ssac/documents/sac-015-en

csstaub
csstaub reviewed Mar 28, 2015
View reviewed changes
lib/openssl/ssl.rb Outdated
Copy link

@csstaub csstaub Mar 28, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add a comment here to indicate the reasoning for this.

Copy link
Collaborator Author

@tarcieri tarcieri Mar 28, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@zzak
Copy link
Member

zzak commented Mar 28, 2015

I'd prefer we nodoc these functions (for now) to avoid promoting them as public api

@tarcieri
Copy link
Collaborator Author

tarcieri commented Mar 28, 2015

@zzak my last commit makes the existing test suite pass (sans the unrelated memory leak error)

@tarcieri
Copy link
Collaborator Author

tarcieri commented Mar 29, 2015

I'd call this finished for a first pass

@zzak
Copy link
Member

zzak commented Mar 30, 2015

Can you squash your commits please?

@tarcieri tarcieri force-pushed the stricter-hostname-verification branch from 4188c09 to ea9a6f8 Compare March 30, 2015 00:29
@tarcieri
Copy link
Collaborator Author

tarcieri commented Mar 30, 2015

Squashed

stouset
stouset reviewed Mar 30, 2015
View reviewed changes
lib/openssl/ssl.rb Outdated
Copy link

@stouset stouset Mar 30, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't strict enough.

>> san_component    = "abc*bcd"
>> domain_component = "abcd"
>> parts            = san_component.split("*", -1)
>> domain_component.start_with?(parts[0]) && domain_component.end_with?(parts[1])
=> true

@stouset
Copy link

stouset commented Mar 30, 2015

Sans the issue above, LGTM. More tests, though?

@tarcieri tarcieri force-pushed the stricter-hostname-verification branch from ea9a6f8 to a67b7ef Compare March 30, 2015 16:53
@tarcieri tarcieri force-pushed the stricter-hostname-verification branch from a67b7ef to 75c94a1 Compare March 30, 2015 17:00
@tarcieri
Copy link
Collaborator Author

tarcieri commented Mar 30, 2015

Will reopen with the in-repo branch

@tarcieri tarcieri closed this Mar 30, 2015
@tarcieri
Copy link
Collaborator Author

tarcieri commented Mar 30, 2015

Reopened as #12

@tarcieri tarcieri mentioned this pull request Dec 17, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tarcieri @zzak @stouset @csstaub