Skip to content

crypto/x509: Insufficient verification of ServerName when certificate is wildcard #27591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
int-tt opened this issue Sep 10, 2018 · 5 comments
Closed

crypto/x509: Insufficient verification of ServerName when certificate is wildcard #27591

int-tt opened this issue Sep 10, 2018 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.15

Comments

@int-tt
Copy link

int-tt commented Sep 10, 2018
edited
Loading

What version of Go are you using (go version)?

go version go1.11 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build454871894=/tmp/go-build -gno-record-gcc-switches"

What did you do?

see https://play.golang.org/p/VeX1YzLJKk1
Since it seems that network request can not be done in the play environment, try it locally

As in the sample code above, if the certificate used in the host name of the communication destination is a wild card, since the verification of ServerName specified by tls.Config{ServerName: u} is insufficient, including URLScheme etc. Even though it can pass.

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.

What did you expect to see?

Should not display error as hostname incorrect

What did you see instead?

HTTPS request succeed
@FiloSottile FiloSottile added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 10, 2018
@FiloSottile FiloSottile added this to the Go1.12 milestone Sep 10, 2018
@FiloSottile FiloSottile self-assigned this Sep 10, 2018
@FiloSottile
Copy link
Contributor

Hmm, yeah that should not succeed, but we can't just apply verifyHostname, as there are a bunch of non-PKI users that put all sorts of things in the SAN (like the CloudSQL foo:bar:name).

However, we can probably make it a requirement for wildcard matching, as wildcards are only meaningfully defined over hostnames.

@FiloSottile FiloSottile added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 10, 2018
@gopherbot gopherbot removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 10, 2018
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/131575 mentions this issue: crypto/x509: validate HostName with VerifyHostname function

@int-tt
Copy link
Author

int-tt commented Sep 21, 2018

there are a bunch of non-PKI users that put all sorts of things in the SAN (like the CloudSQL foo:bar:name).

oh i didn't know that. thx you for teaching me.

I tried to verify the hostname only when wildcards are used.
https://go-review.googlesource.com/c/go/+/131575

@int-tt
Copy link
Author

int-tt commented Jan 28, 2019
edited
Loading

Hi!
I think that this issue has not been solved.
Is there something I am leaving something?
It will be helpful if you let me know :)

@andybons andybons modified the milestones: Go1.12, Go1.13 Feb 12, 2019
@andybons andybons modified the milestones: Go1.13, Go1.14 Jul 8, 2019
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
@FiloSottile FiloSottile modified the milestones: Backlog, Go1.14 Oct 23, 2019
@ianlancetaylor ianlancetaylor modified the milestones: Go1.14, Backlog Dec 5, 2019
@FiloSottile FiloSottile modified the milestones: Backlog, Go1.15 Mar 31, 2020
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/231378 mentions this issue: crypto/x509: require perfect matches for invalid hostnames

@golang golang locked and limited conversation to collaborators May 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.15
Development

No branches or pull requests
6 participants
@rsc @andybons @FiloSottile @int-tt @ianlancetaylor @gopherbot