Re: [BUG] credential wildcard does not match hostnames containing an underscore

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2021.10.13, aaron@xxxxxxxxxx:
> At 21:57 +0000 12 Oct 2021, "brian m. carlson" 
> <sandals@xxxxxxxxxxxxxxxxxxxx> wrote:
>>I also just checked, and RFC 5280 specifies the rules for RFC 1123
>>regarding host names in certificates.  So even if we did accept this, no
>>publicly trusted CA could issue a certificate for such a domain, because
>>to do so would be misissuance.  So this at best could help people who
>>are either using plain HTTP or an internal CA using broken tools,
>>neither of which I think argue in favor of supporting this.
>
> Or people using a wildcard certificate.

I didn't expect to kick off such a big discussion with this bug. ;-)

Just to add my 2 cents: the environment where I bumped into this is using a wildcard cert. It's among a fleet of (busy) internal domains that host data for scientific analysis. Lots of tools talk with those domains, and this is the first time I've been made aware of something struggling with the domains containing an underscore.

I'm not saying whether git should or should not change its behavior here. But the above is why I was surprised to learn the an underscore is not valid. Because everything (DNS servers, dig, Apache, and git itself) seems to happily use it.

In my view, the primary bug is how difficult it was to debug what was going wrong. This is most easily solved by improving the git docs to specify which characters will be matched. Even better if GIT_TRACE (or something similar) can inform/warn the user about matching.

In any case, thanks everyone for looking into this. :-)

---Alex



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux