[gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon May 20 00:15:54 CEST 2024 



Elliott Mitchell commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699


There are actually 2 distinct issues here.  First, `_gnutls_dnsname_is_valid()` is rather inconsistent in what it accepts.  Far too much is accepted which should not be and as a result it seems more likely to cause a false sense of security than actually usefully trigger.  Some notable examples: (I'll leave the length calculation as an exercise)
```
_gnutls_dnsname_is_valid("127.0.0.1",) => 1
_gnutls_dnsname_is_valid("2130706433",) => 1
_gnutls_dnsname_is_valid("::1",) => 0
_gnutls_dnsname_is_valid("10.0.0.1",) => 1
_gnutls_dnsname_is_valid("167772161",) => 1
_gnutls_dnsname_is_valid("fd12:3456:7890::1",) => 0
_gnutls_dnsname_is_valid("123.4567.890",) => 1
_gnutls_dnsname_is_valid("-www-.example.com",) => 1
```
Yet not one of these is acceptable by RFC 6066 (they could not occur in DNS).  Worse, filtering out IPv6 addresses, but not IPv4 addresses could help create issues posed by shadow networks.  As the most likely server implementation will be roughly `if(find_in_table(sni)) { do_found_thing } else { display_default_unmatched_thing }` I think it is likely best to do minimal filtering.

The other issue is testing is **only** being done in `_gnutls_server_name_recv_params()` and not `_gnutls_server_name_send_params()`.  The result is GnuTLS is being liberal in what it sends, conservative in what it accepts.  This is how you destroy interoperability.

I'm less sure of nul-characters testing in `_gnutls_server_name_send_params()`.  That might be useful for testing _other_ servers and is so broken I'm unsure it is worth bothering with.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240519/b0f72f62/attachment.html>

More information about the Gnutls-devel mailing list