Skip site navigation (1) Skip section navigation (2)

Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
Date: 2008-12-01 14:49:38
Message-ID: 4933F982.2070707@hagander.net (view raw or flat)
Thread:
Lists: pgsql-committerspgsql-hackers
Robert Haas wrote:
>> Perhaps the best method would actually be to match only "*." at the
>> beginning of the CN for now, and see if people complain? I would much
>> like someone who knows more about what would be reasonable to speak up
>> here, but it seems we don't have anybody here who knows...
> 
> I would encourage you to adopt a solution where * matches only a
> single pathname component.  This seems to be the intention of both
> RFC2818 and RFC2595.  It is also the behavior of IE7; FF2 seems to
> deviate from the spec.
> 
> http://www.hanselman.com/blog/SomeTroubleWithWildcardSSLCertificatesFireFoxAndRFC2818.aspx

If you look at the wiki page mentioned upthread,
http://wiki.cacert.org/wiki/WildcardCertificates, you will see that it
seems like *all* products other than IE are converging on the non-IE
behavior. Which would be an argument for implementing that method.


> There are several other advantages of this approach that seem worth mentioning:
> 
> 1. If you make it match a single pathname component now, and later
> decide that you were wrong and change your mind, it is guaranteed not
> to break any working installations.  The reverse is not true.

True.


> 2. I can't see any possible way that matching a single component could
> create security holes that would be eliminated by matching multiple
> components, but I'm more skeptical about the other direction.  What
> about the old DNS hack where you create a DNS record for
> example.com.sample.com and hijack connections intended for example.com
> made by people whose default DNS suffix is sample.com?  There may be
> reason to believe this isn't a problem, but matching less seems like
> it can't possibly be a bad thing.

Right, but that's all about being careful not to give out certs like
"*.postgres.*".


> 3. It would be truly bizarre if www*.example.com matched
> www17.some.stuff.in.the.middle.example.com.  (That having been said, I
> wouldn't worry about wildcards intended to match part of a component
> too much.  I suspect that it's an extremely rare case, and we can
> always add support later if there is demand for it.  Not worrying
> about this now will help keep the code simple and free of bugs, always
> good in a security-critical context.)

Yeah.

I think I agree with the idea that we should match wildcards only at the
beginning of the name *for now*, and then see what people actually
request :-) I'm less sure about the single-pathname-component part, but
the argument around backwards compatible is certainly a very valid one..

//Magnus


In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2008-12-01 14:52:21
Subject: Re: New to_timestamp implementation is pretty strict
Previous:From: David E. WheelerDate: 2008-12-01 14:45:21
Subject: Re: New to_timestamp implementation is pretty strict

pgsql-committers by date

Next:From: Robert HaasDate: 2008-12-01 15:02:39
Subject: Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
Previous:From: Tom LaneDate: 2008-12-01 13:39:45
Subject: pgsql: Remove the last traces of --temp-port.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group