Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix AEWeb SSL certs with multi wildcard domains (#1553) #1585

Merged

Conversation

wassimans
Copy link
Contributor

@wassimans wassimans commented Oct 25, 2024

Description

This PR addresses an issue with the SSL certificate verification logic in the node. Previously, the node validated the SSL certificate for a host domain by comparing it only to the last entry in the list of subjectAltName entries within the certificate. This approach neglected other domain entries and did not consider wildcard domains.

The fix introduces enhanced matching logic that:

  • Compares the host name against the entire list (if present) of subjectAltNames within the certificate.

  • Supports wildcard matching for more flexible and complete SSL verification.

This improvement ensures that requests to certified subdomains and wildcard domains are handled correctly according to the SSL certificate’s full set of authorized domains.

Fixes #1553

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

The solution has been tested by implementing and verifying the following test cases:

  • Matching certified domains: Ensures that domains listed in the subjectAltNames (including exact matches and wildcard patterns) are verified correctly.
  • Non-certified domains: Confirms that non-certified domains are rejected, falling back to default SSL configurations when appropriate.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@wassimans wassimans added bug Something isn't working web hosting issue regarding web hosting labels Oct 25, 2024
@wassimans wassimans force-pushed the fix/1553-ssl-cert-multi-domains branch from 5a994c8 to 21b54df Compare October 27, 2024 15:12
@archethic-foundation archethic-foundation deleted a comment from gitguardian bot Oct 28, 2024
lib/archethic_web/aeweb/domain.ex Outdated Show resolved Hide resolved
test/archethic_web/aeweb/domain_test.exs Show resolved Hide resolved
@wassimans wassimans force-pushed the fix/1553-ssl-cert-multi-domains branch from 21b54df to 7d2f40b Compare October 28, 2024 15:34
Copy link

gitguardian bot commented Oct 28, 2024

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
- - Generic Private Key 5b9d528 test/archethic_web/aeweb/domain_test.exs View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@wassimans wassimans force-pushed the fix/1553-ssl-cert-multi-domains branch from 7d2f40b to 5f84522 Compare October 28, 2024 15:36

assert [key: expected_key, cert: expected_cert] == result

result = Domain.sni("*.example.com")
Copy link
Member

@Neylix Neylix Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

*.example.com is not a valid uri.
You should use something like unknown.example.com which should be valid as the SSL cert willdcard *.example.com

@wassimans wassimans force-pushed the fix/1553-ssl-cert-multi-domains branch from 5f84522 to d36c120 Compare October 28, 2024 18:05
@wassimans wassimans force-pushed the fix/1553-ssl-cert-multi-domains branch from d36c120 to 5b9d528 Compare October 29, 2024 08:40
@Neylix Neylix merged commit 8f6ddc9 into archethic-foundation:develop Oct 29, 2024
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working web hosting issue regarding web hosting
Projects
None yet
Development

Successfully merging this pull request may close these issues.

AEWeb ssl certificate does not work on multiple / wildcard domain name
2 participants