-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix AEWeb SSL certs with multi wildcard domains (#1553) #1585
Fix AEWeb SSL certs with multi wildcard domains (#1553) #1585
Conversation
5a994c8
to
21b54df
Compare
21b54df
to
7d2f40b
Compare
|
GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
---|---|---|---|---|---|
- | - | Generic Private Key | 5b9d528 | test/archethic_web/aeweb/domain_test.exs | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
7d2f40b
to
5f84522
Compare
|
||
assert [key: expected_key, cert: expected_cert] == result | ||
|
||
result = Domain.sni("*.example.com") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
*.example.com
is not a valid uri.
You should use something like unknown.example.com
which should be valid as the SSL cert willdcard *.example.com
5f84522
to
d36c120
Compare
d36c120
to
5b9d528
Compare
Description
This PR addresses an issue with the SSL certificate verification logic in the node. Previously, the node validated the SSL certificate for a host domain by comparing it only to the last entry in the list of subjectAltName entries within the certificate. This approach neglected other domain entries and did not consider wildcard domains.
The fix introduces enhanced matching logic that:
Compares the host name against the entire list (if present) of subjectAltNames within the certificate.
Supports wildcard matching for more flexible and complete SSL verification.
This improvement ensures that requests to certified subdomains and wildcard domains are handled correctly according to the SSL certificate’s full set of authorized domains.
Fixes #1553
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
The solution has been tested by implementing and verifying the following test cases:
Checklist: