Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: partial wildcards not supported #24888

Closed
kmala opened this issue Apr 16, 2018 · 1 comment
Closed

crypto/x509: partial wildcards not supported #24888

kmala opened this issue Apr 16, 2018 · 1 comment

Comments

@kmala
Copy link

kmala commented Apr 16, 2018

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.9.5 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build007879267=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

trying to match certificate test*.foo.com with host testabc.foo.com

What did you expect to see?

Expecting the host will match the certificate identifier. This is valid according to the RFC https://tools.ietf.org/html/rfc6125#section-6.4.3 where the client can validate this.

What did you see instead?

x509: certificate is valid for test*.foo.com, not testabc.foo.com

@FiloSottile FiloSottile changed the title X509 certificate not validating the host properly crypto/x509: partial wildcards not supported Apr 17, 2018
@FiloSottile
Copy link
Contributor

This is intentionally not supported.

The standard library package crypto/x509 is built for the WebPKI, and the Baseline Requirements disallow partial wildcards. Browsers behave similarly. Also, the RFC specifies that a client MAY match partial wildcards, so we are not breaking the spec.

@golang golang locked and limited conversation to collaborators Apr 17, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants