Ubuntu
firefox-3.0 package

Bug #376484
Comment #13

Comment 13 for bug 376484

Revision history for this message

In Mozilla Bugzilla #159483, Mozbugzilla (mozbugzilla) wrote on 2007-07-24:

#13

(In reply to comment #11)
> Note that the passages quoted above from RFC 2595 and RFC 4513 specify
> different restrictions on wildcard matching.

They don't say exactly the same thing, yes, but other than that, I don't think they contradict each other - or do they?

> NSS already does what the quoted text from RFC 2595 says.

Not in my understanding of that sentence, actually - if it says 'A "*" wildcard character MAY be used as the left-most name component in the certificate', then that does not allow for things like

   www.*
   *.*.example.org
   www.*.example.org
   *.*

on the other hand, I believe... all these have a "*" which is *not* in the left-most component. However, NSS will happily accept these, which leads to issues such as the one reported in bug 285361 (which has been resolved with WONTFIX, I know - but I disagree with that assessment to a certain degree... even if that single CN=* certificate came from a good guy, originally, the security of your browser might depend on the security of the host configured with this certificate, from then on - if an attacker manages to steal this particular private key, he can play MITM for you for any site).

Also, when considering how host name matching is currently done in NSS, I don't think it makes any real sense to support patterns like these in a host name:

> * o * matches anything
> * o ? matches one character
> * o \ will escape a special character
> * o $ matches the end of the string
> * o [abc] matches one occurence of a, b, or c. The only character that needs
> * to be escaped in this is ], all others are not special.
> * o [a-z] matches any character between a and z
> * o [^az] matches any character except a or z
> * o ~ followed by another shell expression will remove any pattern
> * matching the shell expression from the match list
> * o (foo|bar) will match either the substring foo, or the substring bar.
> * These can be shell expressions as well.

(http://lxr.mozilla.org/mozilla/source/security/nss/lib/util/portreg.h#44)

While this allows you playing funny tricks with certs and host names like

   *~.biz$ (any host not in the .biz TLD)
   (|www.)example.org (www.example.org and example.org)
   [^w]* (any host name which doesn't begin with "w")

this might be cool for doing experiments (yes, they do work in Firefox e.g.!), but it's probably not really intended behavior...

Let me encourage you again to drop that kind of pattern matching for host names from NSS, and implement wildcard matching in the spirit of RFCs 2595, 2818 and 4513.

(In reply to comment #11)
> Note that the passages quoted above from RFC 2595 and RFC 4513 specify 
> different restrictions on wildcard matching.

They don't say exactly the same thing, yes, but other than that, I don't think they contradict each other - or do they?

> NSS already does what the quoted text from RFC 2595 says.

Not in my understanding of that sentence, actually - if it says 'A "*" wildcard character MAY be used as the left-most name component in the certificate', then that does not allow for things like

www.*
   *.*.example.org
   www.*.example.org
   *.*

Also, when considering how host name matching is currently done in NSS, I don't think it makes any real sense to support patterns like these in a host name:

> * o * matches anything
> * o ? matches one character
> * o \ will escape a special character
> * o $ matches the end of the string
> * o [abc] matches one occurence of a, b, or c. The only character that needs
> *         to be escaped in this is ], all others are not special.
> * o [a-z] matches any character between a and z
> * o [^az] matches any character except a or z
> * o ~ followed by another shell expression will remove any pattern
> *     matching the shell expression from the match list
> * o (foo|bar) will match either the substring foo, or the substring bar.
> *             These can be shell expressions as well.

(http://lxr.mozilla.org/mozilla/source/security/nss/lib/util/portreg.h#44)

While this allows you playing funny tricks with certs and host names like

*~.biz$              (any host not in the .biz TLD)
   (|www.)example.org   (www.example.org and example.org)
   [^w]*                (any host name which doesn't begin with "w")

this might be cool for doing experiments (yes, they do work in Firefox e.g.!), but it's probably not really intended behavior...

Let me encourage you again to drop that kind of pattern matching for host names from NSS, and implement wildcard matching in the spirit of RFCs 2595, 2818 and 4513.

Ubuntufirefox-3.0 package

Comment 13 for bug 376484

Ubuntu
firefox-3.0 package