please test imminent 2.8.x release
Simon Josefsson
simon at josefsson.org
Fri Aug 7 01:49:01 CEST 2009
Because of the NUL in CN/SAN issue we need to release a stable 2.8.x
update quickly.
Please test the release candidate:
http://daily.josefsson.org/gnutls-2.8/gnutls-2.8-20090806.tar.gz
This will be identical with the release unless I hear anything negative.
You can also help by reviewing the changes since 2.8.1:
http://git.savannah.gnu.org/cgit/gnutls.git/log/?h=gnutls_2_8_x
I don't have more spare time to produce releases of older versions with
the patches (this problem came up at bad timing for me, plenty of paying
assignments to work on), but if someone else wants to spend time on
2.6.x or any older release, that would be welcome. Note that in
addition to the patches that went into 2.8.x you also need to patch the
certificate printing output from gnutls-cli in src/common.c. GnuTLS
2.8.x and later uses libgnutls to print certificate details instead.
You can use a self-tests from 2.9.x branch to check if your GnuTLS is
vulnerable, see:
http://git.savannah.gnu.org/cgit/gnutls.git/plain/tests/nul-in-x509-names.c
Build and run it like this:
wget http://git.savannah.gnu.org/cgit/gnutls.git/plain/tests/nul-in-x509-names.c
gcc -o nul-in-x509-names nul-in-x509-names.c -lgnutls
./nul-in-x509-names
On a broken gnutls it will output:
gnutls_x509_crt_check_hostname BROKEN (NUL-IN-CN)
gnutls_x509_crt_check_hostname BROKEN (NUL-IN-SAN)
On a working gnutls it will output:
gnutls_x509_crt_check_hostname OK (NUL-IN-CN)
gnutls_x509_crt_check_hostname OK (NUL-IN-SAN)
/Simon
More information about the Gnutls-devel
mailing list