search

haskell-tls / hs-certificate

Certificate and Key Reader/Writer in haskell
60 stars 57 forks source link

x509-validation rejects valid wildcard certs #38

Closed wereHamster closed 9 years ago

wereHamster commented 9 years ago

I have a wildcard certificate for *.xxx.xx and it is rejected when matched against aaa.xxx.xx. The relevant code is in x509-validation/Data/X509/Validation.hs:

wildcardMatch l
            -- <star>.com or <star> is always invalid
            | length l < 2 = [InvalidWildcard]
            -- some TLD like .uk got small subTLD like (.co.uk), and we don't want to accept *.co.uk
            | length (head l) <= 2 && length (head $ drop 1 l) <= 3 && length l < 3 = [InvalidWildcard]
            | l == take (length l) (reverse $ splitDot fqhn) = [] -- success: we got a match
            | otherwise                                      = [NameMismatch fqhn]

There are many two-characters TLDs under which ordinary people can register three-letter domains.

wereHamster commented 9 years ago

You should use this to decide what suffix to allow: https://publicsuffix.org

wereHamster commented 9 years ago

Apparently the PSL should not be used. See #60.