Skip to content

Commit cc7de8f

Browse files
mholtmholt
committed
Use Lookup profile only in GetCertificate
This should allow wildcard names again.
1 parent be2003b commit cc7de8f

File tree

3 files changed

+9
-5
lines changed

3 files changed

+9
-5
lines changed

config.go

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -991,9 +991,7 @@ func (cfg *Config) generateCSR(privateKey crypto.PrivateKey, sans []string, useC
991991

992992
for _, name := range sans {
993993
// identifiers should be converted to punycode before going into the CSR
994-
// (convert IDNs to ASCII according to RFC 5280 section 7, but use profile
995-
// recommended by RFC 5891 section 5)
996-
normalizedName, err := idna.Lookup.ToASCII(name)
994+
normalizedName, err := idna.ToASCII(name)
997995
if err != nil {
998996
return nil, fmt.Errorf("converting identifier '%s' to ASCII: %v", name, err)
999997
}

crypto.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -240,8 +240,8 @@ func (cfg *Config) loadCertResourceAnyIssuer(ctx context.Context, certNamesKey s
240240
func (cfg *Config) loadCertResource(ctx context.Context, issuer Issuer, certNamesKey string) (CertificateResource, error) {
241241
certRes := CertificateResource{issuerKey: issuer.IssuerKey()}
242242

243-
// for lookup/comparison, use profile recommended by RFC 5891 section 5
244-
normalizedName, err := idna.Lookup.ToASCII(certNamesKey)
243+
// don't use the Lookup profile because we might be loading a wildcard cert which is rejected by the Lookup profile
244+
normalizedName, err := idna.ToASCII(certNamesKey)
245245
if err != nil {
246246
return CertificateResource{}, fmt.Errorf("converting '%s' to ASCII: %v", certNamesKey, err)
247247
}

handshake.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -876,6 +876,12 @@ func (cfg *Config) getTLSALPNChallengeCert(clientHello *tls.ClientHelloInfo) (*t
876876
// If hello.ServerName is empty (i.e. client did not use SNI), then the
877877
// associated connection's local address is used to extract an IP address.
878878
func (cfg *Config) getNameFromClientHello(hello *tls.ClientHelloInfo) (string, error) {
879+
// IDNs must be converted to punycode for use in TLS certificates (and SNI), but not
880+
// all clients do that, so convert IDNs to ASCII according to RFC 5280 section 7
881+
// using profile recommended by RFC 5891 section 5; this solves the "σςΣ" problem
882+
// (see https://unicode.org/faq/idn.html#22) where not all normalizations are 1:1.
883+
// The Lookup profile, for instance, rejects wildcard characters (*), but they
884+
// should never be used in the ClientHello SNI anyway.
879885
name, err := idna.Lookup.ToASCII(strings.TrimSpace(hello.ServerName))
880886
if err != nil {
881887
return "", err

0 commit comments

Comments
 (0)