HTTPS connections fail when wildcards are in the certificate

A general discussion forum.
Posts: 12
Joined: 06 Oct 2009, 21:39

HTTPS connections fail when wildcards are in the certificate

Postby petervn » 22 Jun 2011, 21:31

I am having issues with HTTPSClientSession throwing an certificate invalid exception if the server certificate contains wildcards, i.e. "*". I am using 1.4 Poco.

According to the release notes for Release 1.3.1:

"fixed SF# 1714753: NetSSL_OpenSSL: HTTPS connections fail with wildcard certs".

It does not seem to work for me. X509Certificate::verify(...) returns false:

bool X509Certificate::verify(const Poco::Crypto::X509Certificate& certificate, const std::string& hostName)
std::string commonName;
std::set<std::string> dnsNames;
certificate.extractNames(commonName, dnsNames);

My certificate contains a single DNS name with a wildcard, i.e. "*", so the dnsNames is just one entry.

bool ok = (dnsNames.find(hostName) != dnsNames.end());

The above line returns false, which is fine.

char buffer[NAME_BUFFER_SIZE];
X509_NAME* subj = 0;
if (!ok && (subj = X509_get_subject_name(const_cast<X509*>(certificate.certificate()))) && X509_NAME_get_text_by_NID(subj, NID_commonName, buffer, sizeof(buffer)) > 0)
buffer[NAME_BUFFER_SIZE - 1] = 0;
std::string commonName(buffer); // commonName can contain wildcards like *
// two cases: strData contains wildcards or not
if (containsWildcards(commonName)) {
// a compare by IPAddress is not possible with wildcards
// only allow compare by name
const HostEntry& heData = DNS::resolve(hostName);
ok = matchByAlias(commonName, heData);

The line "matchByAlias" only makes sense if the HostEntry has aliases, which is not the case for me. So the verify subsequently returns false, and the entire certification validation process fails. I am able to access data in FireFox and IE.

Any ideas?



Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 2 guests