Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
Date
Msg-id 603c8f070811290756n34fc6927m8883bfae7050a299@mail.gmail.com
Whole thread Raw
In response to Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new  (Magnus Hagander <magnus@hagander.net>)
Responses Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
List pgsql-hackers
> Perhaps the best method would actually be to match only "*." at the
> beginning of the CN for now, and see if people complain? I would much
> like someone who knows more about what would be reasonable to speak up
> here, but it seems we don't have anybody here who knows...

I would encourage you to adopt a solution where * matches only a
single pathname component.  This seems to be the intention of both
RFC2818 and RFC2595.  It is also the behavior of IE7; FF2 seems to
deviate from the spec.

http://www.hanselman.com/blog/SomeTroubleWithWildcardSSLCertificatesFireFoxAndRFC2818.aspx

There are several other advantages of this approach that seem worth mentioning:

1. If you make it match a single pathname component now, and later
decide that you were wrong and change your mind, it is guaranteed not
to break any working installations.  The reverse is not true.

2. I can't see any possible way that matching a single component could
create security holes that would be eliminated by matching multiple
components, but I'm more skeptical about the other direction.  What
about the old DNS hack where you create a DNS record for
example.com.sample.com and hijack connections intended for example.com
made by people whose default DNS suffix is sample.com?  There may be
reason to believe this isn't a problem, but matching less seems like
it can't possibly be a bad thing.

3. It would be truly bizarre if www*.example.com matched
www17.some.stuff.in.the.middle.example.com.  (That having been said, I
wouldn't worry about wildcards intended to match part of a component
too much.  I suspect that it's an extremely rare case, and we can
always add support later if there is demand for it.  Not worrying
about this now will help keep the code simple and free of bugs, always
good in a security-critical context.)

...Robert


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Updates of SE-PostgreSQL 8.4devel patches (r1197)
Next
From: Robert Treat
Date:
Subject: Re: Statement-level triggers and inheritance