SSL host name checking doesn't understand wildcard subdomains?
SSL host name checking doesn't understand wildcard subdomains?
- Subject: SSL host name checking doesn't understand wildcard subdomains?
- From: Jens Alfke <email@hidden>
- Date: Fri, 11 May 2012 10:51:17 -0700
I’m using NSStream to open an HTTP connection to an SSL server, but getting errSSLHostNameMismatch (-9843). Apparently this is because the server’s cert isn’t for my exact custom subdomain but one that matches all subdomains. Specifically, I’m connecting to hostname “snej.iriscouch.com” (port 443) and the hostname in the cert (according to my web browser) is “*.iriscouch.com”.
This seems like a bug. My understanding is that the peer name match should succeed due to the wildcard in the cert. Moreover, both Safari and Chrome will connect to that host with no security warnings.
If I disable peer name verification by setting the kCFStreamSSLPeerName property to kCFNull, the connection succeeds. Presumably I can then check the hostname myself and interpret the “*” properly, but shouldn’t SecureTransport or CFNetwork be doing that?
—Jens
PS: I’m on OS X 10.7.3.
PPS: Let me know if this would be better directed to the apple-cdsa list.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden