From: "Alex Waite" <alex@waite.eu>
To: "Aaron Schrab" <aaron@schrab.com>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
"Jeff King" <peff@peff.net>, "Junio C Hamano" <gitster@pobox.com>,
git@vger.kernel.org
Subject: Re: [BUG] credential wildcard does not match hostnames containing an underscore
Date: Wed, 13 Oct 2021 18:21:16 +0200 [thread overview]
Message-ID: <c84ef8d0-0ed7-4267-9952-d9a2bc053ad6@www.fastmail.com> (raw)
In-Reply-To: <YWYLRvUEkoudH5n0@pug.qqx.org>
2021.10.13, aaron@schrab.com:
> At 21:57 +0000 12 Oct 2021, "brian m. carlson"
> <sandals@crustytoothpaste.net> wrote:
>>I also just checked, and RFC 5280 specifies the rules for RFC 1123
>>regarding host names in certificates. So even if we did accept this, no
>>publicly trusted CA could issue a certificate for such a domain, because
>>to do so would be misissuance. So this at best could help people who
>>are either using plain HTTP or an internal CA using broken tools,
>>neither of which I think argue in favor of supporting this.
>
> Or people using a wildcard certificate.
I didn't expect to kick off such a big discussion with this bug. ;-)
Just to add my 2 cents: the environment where I bumped into this is using a wildcard cert. It's among a fleet of (busy) internal domains that host data for scientific analysis. Lots of tools talk with those domains, and this is the first time I've been made aware of something struggling with the domains containing an underscore.
I'm not saying whether git should or should not change its behavior here. But the above is why I was surprised to learn the an underscore is not valid. Because everything (DNS servers, dig, Apache, and git itself) seems to happily use it.
In my view, the primary bug is how difficult it was to debug what was going wrong. This is most easily solved by improving the git docs to specify which characters will be matched. Even better if GIT_TRACE (or something similar) can inform/warn the user about matching.
In any case, thanks everyone for looking into this. :-)
---Alex
next prev parent reply other threads:[~2021-10-13 16:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-12 14:25 [BUG] credential wildcard does not match hostnames containing an underscore Alex Waite
2021-10-12 17:47 ` Junio C Hamano
2021-10-12 18:00 ` Alex Waite
2021-10-12 18:28 ` Junio C Hamano
2021-10-12 20:45 ` Jeff King
2021-10-12 20:42 ` Jeff King
2021-10-12 20:53 ` Jeff King
2021-10-12 21:12 ` [PATCH] urlmatch: add underscore to URL_HOST_CHARS Jeff King
2021-10-12 21:21 ` [BUG] credential wildcard does not match hostnames containing an underscore brian m. carlson
2021-10-12 21:32 ` Jeff King
2021-10-12 21:48 ` brian m. carlson
2021-10-12 21:55 ` Jeff King
2021-10-12 21:57 ` brian m. carlson
2021-10-12 22:25 ` Aaron Schrab
2021-10-13 16:21 ` Alex Waite [this message]
2021-10-14 11:43 ` Philip Oakley
2021-10-12 21:12 ` brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c84ef8d0-0ed7-4267-9952-d9a2bc053ad6@www.fastmail.com \
--to=alex@waite.eu \
--cc=aaron@schrab.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).