I have been going thru X.509 RFCs, and I have issues with domain name matching conventions.
Should the domain name "www.foo.com" match with "foo.com" and ".foo.com" domain names in ssl certificates? please note there is no wildcards.
there is a snippet of section 4.2.1.10 name constraints from RFC 5280, the same restrictions apply alt name extentions.
"DNS name restrictions are expressed as host.example.com. Any DNS
name that can be constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint. For
example, www.host.example.com would satisfy the constraint but
host1.example.com would not."
unfortunately, if you have a certificate for "www.foo.com", it will not automatically work for "foo.com" unless specified by your certificate provider (or CA). had this same issue before. check the fine prints, something should be listed as "Secures both your www and non-www" or contact their support and ask how it should be done
The section you quote from RFC 5280 (section 4.2.1.10) isn't about host name matching in the sense of what the client should verify when it connects to the server, it's about what CAs are allowed to issue if they use the name constraints extension.
What you see to be after used to be protocol-specific, and defined in RFC 2818 (section 3.1) for HTTPS.
RFC 6125 is more recent and harmonises this across application protocols. (It's not necessarily widely implemented.)
More specifically, www.foo.com will not match foo.com or .foo.com:
6.4.1. Checking of Traditional Domain Names
If the DNS domain name portion of a reference identifier is a
"traditional domain name", then matching of the reference identifier
against the presented identifier is performed by comparing the set of
domain name labels using a case-insensitive ASCII comparison, as
clarified by [DNS-CASE] (e.g., "WWW.Example.Com" would be lower-cased
to "www.example.com" for comparison purposes). Each label MUST match
in order for the names to be considered to match, except as
supplemented by the rule about checking of wildcard labels
(Section 6.4.3).
Generally, if you want a certificate to be valid for www.foo.com and foo.com, it will need to have multiple Subject Alternative Names (even foo.com isn't covered by *.foo.com).
Related
The goal is to match URLs (without the protocol) which may or may not include an optional hostname. For example
amce.com/a/path
/another/path/expr
a/path/not/starting_with/slash
All 3 should match but ideally the grammar would allow recovering the hostname - acme.com - in the first expression.
So the parser grammar would ideally look like:
url: hostname? pathExpr
The problem is coming up with the Lexer Grammar
For instance
fragment ALPHANUM: [a-zA-Z0-9-];
fragment NAME: ALPHANUM+;
HOSTNAME: NAME ( '.' NAME)+ -> mode (PATH_MODE);
mode PATH_MODE;
PATH_EXPR: .+;
works fine for the first case but will not match the other 2.
How do I do that ?
(note: for the default mode, I tried expressing a rule ANYPATH defining a sequence of characters not starting by a HOSTNAME but failed)
I recommend not to reinvent the wheel here. There is an existing grammar for URLs, which should give you all the details you want.
Update:
In order to make the entire host/port part optional you could simply amend the url rule like this:
url
: authority '://' login? host (':' port)? ('/' path)? ('?' search)?
| '/'? path ('?' search)?
;
Did you try that already? I also see this grammar is not very flexible. Almost each part before the path part is optional (like the authority, the login info, port etc.).
On Rocket.Chat's LDAP configuration page, the helper text for Domain Base states that you should enter (emphasis mine):
The fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for users and groups. You can add as many as you like; however, each group must be defined in the same domain base as the users that belong to it. If you specify restricted user groups, only users that belong to those groups will be in scope. We recommend that you specify the top level of your LDAP directory tree as your domain base and use search filter to control access.
Problem is, I don't know how to enter more than one.
My DN looks like this:
OU=IT,OU=Staff,DC=companyname,DC=local
And I want the following users to also be synced:
OU=Example,OU=Staff,DC=companyname,DC=local
But I don't know how to add them both, as the docs aren't clear, and the source code is even less clear.
I've tried the following ways:
Space separated
Semicolon separated
Ampersand (and double ampersand) separated
Wrapping them up in an array (e.g. ["OU=Example ...", "OU=IT ..."]) and as a JSON object
Pipe (and double pipe) separated
'Plus' separated (e.g. DC=local + OU=Example)
But no matter what I do, it won't sync users. The logs tell me:
Exception while invoking method 'ldap_sync_users' NoSuchObjectError: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: at Object.Future.wait (/snap/rocketchat-server/511/node_modules/fibers/future.js:449:15) ...
I know I can set up a group restriction so only users in a certain group will be synced, but the helper text says I can use multiple DNs, and I want to know how to use multiple DNs
After reading RFC-4514, I discovered I should construct my DN like so:
OU=Example+OU=IT,OU=Staff,DC=companyname,DC=local
With the plus occurring between the two OUs I wish to add. Now my users are syncing correctly.
I'm a beginner looking for some clarity on how to create configuration files for the DDS Recording Service in two areas.
If you are looking to record a set of specific topics from a domain how do you set up the topic group? Can you list the topics as individual <topic_expr> i.e.
<topic_group name="SomeTopics">
<topics>
<topic_expr>topic2</topic_expr>
<topic_expr>topic8</topic_expr>
</topics>
<field_expr>*</field_expr>
</topic_group>
When I tried something like this not all the listed topics would be recorded. Is there something I am overlooking?
Secondly, when you use -deserialize to you need to make any changes to the configuration file you used to record the database? As I sometimes get errors about how "rti dds failed to find" followed by something like X::Y::Z. Thanks.
The XSD schema for the configuration file does not expect you to use multiple <topic_expr> tags, but a single tag with a comma-separated list of Topic names. The RTI Recording Service User's Manual explains it as follows:
<topic_expr>POSIX fn expression</topic_expr>
Required.
A comma-separated list of POSIX expressions that specify the names of Topics to be included in the TopicGroup.
The syntax and semantics are the same as for Partition matching.
Default: Null
Note: Keep in mind that spaces are valid first characters in topic names, thus they can affect the matching process. For example, this will match both Triangle and Square topics (notice there is no space before Square):
<topic_expr>Triangle,Square</topic_expr>
However the following will only match Triangle topics (because there is a space before Square):
<topic_expr>Triangle, Square</topic_expr>
With regard to the -deserialize option, this is not applicable to the Recording Service but to the Converter tool (rtirecconv). If you want to record deserialized, you will have to indicate that in the Recording Service configuration, via the tag <deserialize_mode>. Again, see the User's Manual for details.
I have one certificate which has "RFC822 Name=null" in "subject alternative name".
Can I know how can we edit this extension so that I can put some value in this field.
I thought using colons in URIs was "illegal". Then I saw that vimeo.com is using URIs like http://www.vimeo.com/tag:sample.
What do you feel about the usage of colons in URIs?
How do I make my Apache server work with the "colon" syntax because now it's throwing the "Access forbidden!" error when there is a colon in the first segment of the URI?
Colons are allowed in the URI path. But you need to be careful when writing relative URI paths with a colon since it is not allowed when used like this:
<a href="tag:sample">
In this case tag would be interpreted as the URI’s scheme. Instead you need to write it like this:
<a href="./tag:sample">
Are colons allowed in URLs?
Yes, unless it's in the first path segment of a relative-path reference
So for example you can have a URL like this:
https://en.wikipedia.org/wiki/Template:Welcome
And you can use it normally as an absolute URL or some relative variants:
Welcome Template
Welcome Template
Welcome Template
But this would be invalid:
Welcome Template
because the "Template" here would be mistaken for the protocol scheme.
You would have to use:
Welcome Template
to use a relative link from a page on the same level in the hierarchy.
The spec
See the RFC 3986, Section 3.3:
https://www.rfc-editor.org/rfc/rfc3986#section-3.3
The path component contains data, usually organized in hierarchical
form, that, along with data in the non-hierarchical query component
(Section 3.4), serves to identify a resource within the scope of the
URI's scheme and naming authority (if any). The path is terminated
by the first question mark ("?") or number sign ("#") character, or
by the end of the URI.
If a URI contains an authority component, then the path component
must either be empty or begin with a slash ("/") character. If a URI
does not contain an authority component, then the path cannot begin
with two slash characters ("//"). In addition, a URI reference
(Section 4.1) may be a relative-path reference, in which case the
first path segment cannot contain a colon (":") character. The ABNF
requires five separate rules to disambiguate these cases, only one of
which will match the path substring within a given URI reference. We
use the generic term "path component" to describe the URI substring
matched by the parser to one of these rules. [emphasis added]
Example URL that uses a colon:
https://en.wikipedia.org/wiki/Template:Welcome
Also note the difference between Apache on Linux and Windows. Apache on Windows somehow doesn't allow colons to be used in the first part of the URL. Linux has no problem with this, however.