[ipxe-devel] Wildcard HTTPS cert support.

Nicolas Sylvain nsylvain at gmail.com
Wed Aug 28 21:50:37 UTC 2013


Hello,

I'm trying to fetch an image off a Google App Engine app. (Hosted on
appspot.com).

My script running :

imgfetch https://nsylvainoauth.appspot.com/test

This is failing because :

"server name incorrect (expected *.appspot.com, got nsylvainoauth.appsot.com
)"

I made a small change to actually add basic wildcard support to get
unstuck.   It only works for cases like this one (leading wildcard).

Here's the patch if anyone is interested.

--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2456,10 +2456,25 @@ static void tls_validator_done ( struct
tls_session *tls, int rc ) {
        /* Verify server name */
        if ( ( cert->subject.name == NULL ) ||
             ( strcmp ( cert->subject.name, tls->name ) != 0 ) ) {
-               DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
-                      "%s)\n", tls, tls->name, cert->subject.name );
-               rc = -EACCES_WRONG_NAME;
-               goto err;
+               if ( cert->subject.name[0] == '*' ) {
+                       char * subject_name = cert->subject.name + 1;
+                       int subject_name_len = strlen(subject_name);
+                       int host_name_len = strlen(tls->name);
+                       if ( ( host_name_len < subject_name_len ||
+                            ( strcmp( tls->name + host_name_len -
subject_name_len,
+                                      subject_name ) ) != 0 ) ) {
+                               DBGC ( tls, "TLS %p wildcard server
name incorrect "
+                                      "(%s does not end with %s)\n",
tls, tls->name,
+                                      subject_name);
+                               rc = -EACCES_WRONG_NAME;
+                               goto err;
+                       }
+               } else {
+                       DBGC ( tls, "TLS %p server name incorrect
(expected %s, got "
+                              "%s)\n", tls, tls->name, cert->subject.name );
+                       rc = -EACCES_WRONG_NAME;
+                       goto err;
+                }
        }


Now it's actually failing about 50% of the time trying to do the OCSP
checks..  but I'll start another thread for this one.

Thanks

Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20130828/1eb267d1/attachment.htm>


More information about the ipxe-devel mailing list