bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] More hostname matching goodness

From: Jeffrey Walton
Subject: [Bug-wget] More hostname matching goodness
Date: Fri, 21 Mar 2014 23:12:19 -0400 
Hi Gentleman,

Here's another that looks illegal per the RFCs and CA/B Baseline.

Create a server cert with a single SAN of "WWW.*.COM":

$ openssl x509 -in server-rsa-cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9008050290962543110 (0x7d0306034fad3206)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Example, LLC, CN=Example CA
        Validity
            Not Before: Jan  1 00:00:00 2014 GMT
            Not After : Jan  1 00:00:00 2024 GMT
        Subject: O=Example, LLC, CN=Example Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:3b:86:b8:17:4e:0f:b7:d5:ff:9b:4a:16:32:
                    ...
                    aa:7a:2e:24:75:25:20:e6:5e:5c:c2:67:56:0f:14:
                    dd:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:www.*.com
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Subject Key Identifier:
                B5:AF:38:82:0C:C4:32:6E:9F:F5:F1:97:83:49:26:8D:AB:CB:3C:88
            X509v3 Authority Key Identifier:

keyid:B1:77:69:71:06:C6:25:90:28:B8:BA:49:70:A1:2F:3F:0F:32:C0:3C
        ...

Start the server:

$ openssl s_server -accept 8443 -www -certform PEM -cert
server-rsa-cert-2.pem -keyform PEM -key server-rsa-key-plain.pem -tls1
-cipher HIGH:-EDH:-DHE

Make a client request trusting the exemplary CA:

$ wget https://www.example.com:8443 --ca-certificate ca-rsa-cert.pem
--2014-03-21 23:05:24--  https://www.example.com:8443/
Resolving www.example.com (www.example.com)... 127.0.0.1
Connecting to www.example.com (www.example.com)|127.0.0.1|:8443... connected.
HTTP request sent, awaiting response... 200 ok
Length: unspecified [text/html]
Saving to: `index.html'
...

$ wget https://www.foo.com:8443 --ca-certificate ca-rsa-cert.pem
--2014-03-21 23:06:46--  https://www.foo.com:8443/
Resolving www.foo.com (www.foo.com)... 127.0.0.1
Connecting to www.foo.com (www.foo.com)|127.0.0.1|:8443... connected.
HTTP request sent, awaiting response... 200 ok
Length: unspecified [text/html]
Saving to: `index.html.1'
...

$ wget https://www.bar.com:8443 --ca-certificate ca-rsa-cert.pem
--2014-03-21 23:06:54--  https://www.bar.com:8443/
Resolving www.bar.com (www.bar.com)... 127.0.0.1
Connecting to www.bar.com (www.bar.com)|127.0.0.1|:8443... connected.
HTTP request sent, awaiting response... 200 ok
Length: unspecified [text/html]
Saving to: `index.html.2'
...

*****

I also found a server certificate with two SANs is most useful: one
"*.COM", and one "WWW.*.COM".

I've also got a really cool "one cert to rule them all". Its got the
top levels (*.COM, *.NET, etc) and the named host variants (WWW.*.COM,
WWW.*.NET, MAIL.*.COM, MAIL.*.NET, FTP.*.COM, FTP.*.NET).

*****

Attached is the cert with "WWW.*.COM". All the other parameters (CA
key and cert, server key) are the same, but they were attached for
convenience.

*****

This was also sent this to the GnuTLS folks, but I wanted to give the
Wget project a heads up.

Jeffrey Walton

Attachment: server-rsa-cert.pem
Description: application/x509-ca-cert

Attachment: server-rsa-key-plain.pem
Description: application/x509-ca-cert

Attachment: ca-rsa-cert.pem
Description: application/x509-ca-cert

reply via email to
[Prev in Thread] Current Thread [Next in Thread]