crypto/tls: case-insensitive host match? #2792
Labels
Milestone
Comments
Should probably use strings.EqualFold instead. Leaving for a verdict from agl. Labels changed: added priority-go1, removed priority-triage. Owner changed to @agl. Status changed to Accepted. |
http://golang.org/cl/5590045/ Status changed to Started. |
|
This issue was closed by revision 8efb304. Status changed to Fixed. |
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What steps will reproduce the problem? 1. http.Get("https://www.paypal.nl/nl";) What is the expected output? *http.Response What do you see instead? err: "Get https://www.paypal.nl/nl: certificate is valid for WWW.PAYPAL.COM, PAYPAL.COM, HISTORY.PAYPAL.COM, WWW.PAYPALOBJECTS.COM, stxnapi.paypal.com, CMS.PAYPAL.COM, STUDENT.PAYPAL.COM, PERSONAL.PAYPAL.COM, MERCHANT.PAYPAL.COM, EMPRESAS.PAYPAL.COM, SHOPPING.PAYPAL.COM, WWW.THEPAYPALBLOG.COM, WWW.PAYPAL.AT, WWW.PAYPAL.BE, WWW.PAYPAL.CA, WWW.PAYPAL.CH, WWW.PAYPAL.CL, WWW.PAYPAL.CN, WWW.PAYPAL.CO.IL, WWW.PAYPAL.CO.IN, WWW.PAYPAL.CO.NZ, WWW.PAYPAL.CO.TH, WWW.PAYPAL.CO.UK, WWW.PAYPAL.CO.ZA, WWW.PAYPAL.COM.AR, WWW.PAYPAL.COM.AU, WWW.PAYPAL.COM.BR, WWW.PAYPAL.COM.CN, WWW.PAYPAL.COM.ES, WWW.PAYPAL.COM.HK, WWW.PAYPAL.COM.MX, WWW.PAYPAL.COM.PT, WWW.PAYPAL.COM.SA, WWW.PAYPAL.COM.SG, WWW.PAYPAL.COM.TR, WWW.PAYPAL.COM.TW, WWW.PAYPAL.COM.VE, WWW.PAYPAL.DE, WWW.PAYPAL.DK, WWW.PAYPAL.ES, WWW.PAYPAL.FI, WWW.PAYPAL.FR, WWW.PAYPAL.IE, WWW.PAYPAL.IT, WWW.PAYPAL.JP, WWW.PAYPAL.LU, WWW.PAYPAL.MX, WWW.PAYPAL.NL, WWW.PAYPAL.PH, WWW.PAYPAL.PL, WWW.PAYPAL.PT, WWW.PAYPAL.SE, WWW.PAYPAL.NO, IPNPB.PAYPAL.COM, not www.paypal.nl" Which compiler are you using (5g, 6g, 8g, gccgo)? 6g Which operating system are you using? Ubuntu 11.10 Which revision are you using? weekly.2012-01-20 Please provide any additional information below. From RFC 5280 (http://www.ietf.org/rfc/rfc5280.txt): When comparing DNS names for equality, conforming implementations MUST perform a case-insensitive exact match on the entire DNS name. When evaluating name constraints, conforming implementations MUST perform a case-insensitive exact match on a label-by-label basis. As noted in Section 4.2.1.10, any DNS name that may be constructed by adding labels to the left-hand side of the domain name given as the constraint is considered to fall within the indicated subtree. Possible fix: diff -r 9f2be4fbbf69 src/pkg/crypto/x509/verify.go --- a/src/pkg/crypto/x509/verify.go Fri Jan 20 16:57:10 2012 +1100 +++ b/src/pkg/crypto/x509/verify.go Thu Jan 26 15:54:17 2012 +0100 @@ -206,8 +206,8 @@ return false } - patternParts := strings.Split(pattern, ".") - hostParts := strings.Split(host, ".") + patternParts := strings.Split(strings.ToLower(pattern), ".") + hostParts := strings.Split(strings.ToLower(host), ".") if len(patternParts) != len(hostParts) { return falseThe text was updated successfully, but these errors were encountered: