Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new

On Monday 24 November 2008 16:55:17 Magnus Hagander wrote:
> > Then again, having looked into the libpq source now, is using fnmatch()
> > even appropriate here? The matching rules for https are in RFC 2818:

> > Using fnmatch(), however, will also treat ? and [] special and it will
> > not follow the "any single domain name component" rule.

> I guess it's back to the drawingboard. Can probably still base it on the
> fnmatch stuff, but it'll need to be ripped apart. Basically, it should
> match only with *, and * should not match "." - do you agree that's a
> reasonable interpretation?

Some more information on this:
https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf
slide 5 lists the matching rules for email, HTTP, and LDAP over TLS,
respectively, which are not all the same. Also note that these methods have
rules for interpreting fields in the certificate other than the common name
for the host name.

I think it is safest and easiest to allow a * wildcard only as the first
character and only when followed immediately by a dot.

Maybe some DNS expert around here can offer advice on what a morally sound
solution would be.