curl /libcurl uses wildcards for validation during TLS communication, even if the hostname is an IDN.
Even if wildcards are present in the CN/SAN of the certificate, they must not be used to match if the hostname is an IDN.
This is described in [RFC-6125, section 6.4.3.][RFC]
[RFC]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3
You probably know that.
However, there was a problem with the implementation.
lib/vtls/hostcheck.c
in the function โhostmatchโ on lines 100-106.
/* We require at least 2 dots in the pattern to avoid too wide wildcard
match. */
pattern_label_end = memchr(pattern, '.', patternlen);
if(!pattern_label_end ||
(memrchr(pattern, '.', patternlen) == pattern_label_end) ||
strncasecompare(pattern, "xn--", 4))
return pmatch(hostname, hostlen, pattern, patternlen);
I think strncasecompare(pattern, "xn--", 4))
is strncasecompare(hostname, "xn--", 4))
.
pattern
is a value that contains wildcards because it is CN/SAN.
In other words, it will not match โxnโโ because it will be a string containing wildcards.
x*.example.local
. {F2298301} {F2298300}openssl s_server -accept 443 -cert server.crt -key server.key -www
curl https://%E3%81%82.example.local --cacert server.crt
When the above is executed, the communication succeeds even though it should result in a validation error.
Improper Validation of Certificate with Host Mismatch.