Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http-client-tls connection to HTTPS site with invalid hostname #212

Closed
oherrala opened this issue Jul 7, 2016 · 2 comments
Closed

http-client-tls connection to HTTPS site with invalid hostname #212

oherrala opened this issue Jul 7, 2016 · 2 comments

Comments

@oherrala
Copy link

oherrala commented Jul 7, 2016

This issue is copy & pasted from haskell/wreq#84 and example modified for http-client-tls.

badssl.com tests have wildcard certificate with common name *.badssl.com and Subject Alternative Names badssl.com and *.badssl.com. http-client-tls misinterpretes how wildcard certificates should be handled:

*Main> :m Network.HTTP.Client Network.HTTP.Client.TLS
Prelude> manager <- newManager tlsManagerSettings
Prelude> request <- parseRequest "https://wrong.host.badssl.com"
Prelude> httpLbs request manager
Response {responseStatus = Status {statusCode = 200, statusMessage = "OK"}, responseVersion = HTTP/1.1, responseHeaders = <reponse removed>...

RFC2818 states that:

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

Chrome, Firefox and Safari don't allow connection to this test host.

This was found with TryTLS test tool: https://github.com/ouspg/trytls
@oherrala oherrala mentioned this issue Jul 7, 2016
Closed
@snoyberg
Copy link
Owner

snoyberg commented Jul 7, 2016

Looks like a dupe of #207

@oherrala
Copy link
Author

oherrala commented Oct 2, 2016

This has been fixed in haskell-tls/hs-certificate#75:

- FAIL wrong hostname in certificate [reject wrong.host.badssl.com:443]
-      output: 200 OK
+ PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
+      output: HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"wrong.host.badssl.com\"]",True,CertificateUnknown))

- FAIL invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
-      output: 200 OK
+ PASS invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
+      output: HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"wildcard.mismatch.badtls.io\"]",True,CertificateUnknown))

@oherrala oherrala closed this as completed Oct 2, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@snoyberg @oherrala