[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] More hostname matching goodness
From: |
Jeffrey Walton |
Subject: |
[Bug-wget] More hostname matching goodness |
Date: |
Fri, 21 Mar 2014 23:12:19 -0400 |
Hi Gentleman,
Here's another that looks illegal per the RFCs and CA/B Baseline.
Create a server cert with a single SAN of "WWW.*.COM":
$ openssl x509 -in server-rsa-cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9008050290962543110 (0x7d0306034fad3206)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Example, LLC, CN=Example CA
Validity
Not Before: Jan 1 00:00:00 2014 GMT
Not After : Jan 1 00:00:00 2024 GMT
Subject: O=Example, LLC, CN=Example Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:3b:86:b8:17:4e:0f:b7:d5:ff:9b:4a:16:32:
...
aa:7a:2e:24:75:25:20:e6:5e:5c:c2:67:56:0f:14:
dd:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.*.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Subject Key Identifier:
B5:AF:38:82:0C:C4:32:6E:9F:F5:F1:97:83:49:26:8D:AB:CB:3C:88
X509v3 Authority Key Identifier:
keyid:B1:77:69:71:06:C6:25:90:28:B8:BA:49:70:A1:2F:3F:0F:32:C0:3C
...
Start the server:
$ openssl s_server -accept 8443 -www -certform PEM -cert
server-rsa-cert-2.pem -keyform PEM -key server-rsa-key-plain.pem -tls1
-cipher HIGH:-EDH:-DHE
Make a client request trusting the exemplary CA:
$ wget https://www.example.com:8443 --ca-certificate ca-rsa-cert.pem
--2014-03-21 23:05:24-- https://www.example.com:8443/
Resolving www.example.com (www.example.com)... 127.0.0.1
Connecting to www.example.com (www.example.com)|127.0.0.1|:8443... connected.
HTTP request sent, awaiting response... 200 ok
Length: unspecified [text/html]
Saving to: `index.html'
...
$ wget https://www.foo.com:8443 --ca-certificate ca-rsa-cert.pem
--2014-03-21 23:06:46-- https://www.foo.com:8443/
Resolving www.foo.com (www.foo.com)... 127.0.0.1
Connecting to www.foo.com (www.foo.com)|127.0.0.1|:8443... connected.
HTTP request sent, awaiting response... 200 ok
Length: unspecified [text/html]
Saving to: `index.html.1'
...
$ wget https://www.bar.com:8443 --ca-certificate ca-rsa-cert.pem
--2014-03-21 23:06:54-- https://www.bar.com:8443/
Resolving www.bar.com (www.bar.com)... 127.0.0.1
Connecting to www.bar.com (www.bar.com)|127.0.0.1|:8443... connected.
HTTP request sent, awaiting response... 200 ok
Length: unspecified [text/html]
Saving to: `index.html.2'
...
*****
I also found a server certificate with two SANs is most useful: one
"*.COM", and one "WWW.*.COM".
I've also got a really cool "one cert to rule them all". Its got the
top levels (*.COM, *.NET, etc) and the named host variants (WWW.*.COM,
WWW.*.NET, MAIL.*.COM, MAIL.*.NET, FTP.*.COM, FTP.*.NET).
*****
Attached is the cert with "WWW.*.COM". All the other parameters (CA
key and cert, server key) are the same, but they were attached for
convenience.
*****
This was also sent this to the GnuTLS folks, but I wanted to give the
Wget project a heads up.
Jeffrey Walton
server-rsa-cert.pem
Description: application/x509-ca-cert
server-rsa-key-plain.pem
Description: application/x509-ca-cert
ca-rsa-cert.pem
Description: application/x509-ca-cert
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug-wget] More hostname matching goodness,
Jeffrey Walton <=