Wreq connection to HTTPS site with invalid hostname
oherrala opened this issue · comments
badssl.com tests have wildcard certificate with common name *.badssl.com
and Subject Alternative Names badssl.com
and *.badssl.com
. Wreq (or http-client-tls
or tls
package?) misinterpretes how wildcard certificates should be handled:
Prelude Network.Wreq> get "https://wrong.host.badssl.com/"
Response {responseStatus = Status {statusCode = 200, statusMessage = "OK"}, responseVersion = HTTP/1.1, responseHeaders = <reponse removed>...
RFC2818 states that:
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.
Chrome, Firefox and Safari don't allow connection to this test host.
This was found with TryTLS test tool: https://github.com/ouspg/trytls
This is also reported for http-client-tls
package in snoyberg/http-client#212
This has been fixed in haskell-tls/hs-certificate#75:
- FAIL wrong hostname in certificate [reject wrong.host.badssl.com:443]
- output: 200 OK
+ PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
+ output: HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"wrong.host.badssl.com\"]",True,CertificateUnknown))
- FAIL invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
- output: 200 OK
+ PASS invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
+ output: HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"wildcard.mismatch.badtls.io\"]",True,CertificateUnknown))