[gnutls-devel] GnuTLS | gnutls_x509_crt_check_hostname does not handle trailing dots (#1548)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon Apr 22 14:02:25 CEST 2024
Daniel Stenberg commented: https://gitlab.com/gnutls/gnutls/-/issues/1548#note_1874924520
RFC 2818 section 3.1 says:
In general, HTTP/TLS requests are generated by dereferencing a URI.
As a consequence, the hostname for the server is known to the client.
If the hostname is available, the client MUST check it against the
server's identity as presented in the server's Certificate message,
in order to prevent man-in-the-middle attacks.
The hostname here can have a trailing dot. The SNI name does not.
RFC 9525 section 6.1 is less specific but says:
The inputs used by the client to construct its list of reference identifiers might
be a URI that a user has typed into an interface (e.g., an HTTPS URL for a website)
Again, that is the hostname. Not the SNI name.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1548#note_1874924520
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240422/40661824/attachment.html>
More information about the Gnutls-devel
mailing list