<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style data-premailer="ignore" type="text/css">

a { color: #1068bf; }

</style>

<style>img {

max-width: 100%; height: auto;

}

body {

font-size: .875rem;

}

body {

-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;

}

body {

font-family: var(--default-regular-font, "GitLab Sans"),-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;

}

</style>

</head>

<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: var(--default-regular-font, "GitLab Sans"),-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/ehem">Elliott Mitchell</a>

commented on a

<a href="https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699">discussion</a>:

</p>

<div class="md" style="color: #333238; word-wrap: break-word;">

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">There are actually 2 distinct issues here.  First, <code style='font-size: 90%; color: #1f1e24; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; margin-top: 0; font-weight: inherit; font-family: var(--default-mono-font, "GitLab Mono"),"JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>_gnutls_dnsname_is_valid()</code> is rather inconsistent in what it accepts.  Far too much is accepted which should not be and as a result it seems more likely to cause a false sense of security than actually usefully trigger.  Some notable examples: (I'll leave the length calculation as an exercise)</p>

<div class="gl-relative markdown-code-block js-markdown-code">

<pre class="code highlight js-syntax-highlight language-plaintext" v-pre="true" style='display: block; font-size: 14px; color: #333238; line-height: 1.6em; overflow-x: auto; border-radius: .25rem; position: relative; font-family: var(--default-mono-font, "GitLab Mono"),"JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; margin: 0 0 16px; padding: 12px; border: 1px solid #dcdcde;'><code style='font-size: inherit; color: inherit; word-wrap: normal; word-break: keep-all; background-color: inherit; border-radius: .25rem; white-space: pre; margin-top: 0; font-family: var(--default-mono-font, "GitLab Mono"),"JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; overflow-wrap: normal; padding: unset;'><span id="LC1" class="line" lang="plaintext" style="margin-top: 0;">_gnutls_dnsname_is_valid("127.0.0.1",) => 1</span>

<span id="LC2" class="line" lang="plaintext">_gnutls_dnsname_is_valid("2130706433",) => 1</span>

<span id="LC3" class="line" lang="plaintext">_gnutls_dnsname_is_valid("::1",) => 0</span>

<span id="LC4" class="line" lang="plaintext">_gnutls_dnsname_is_valid("10.0.0.1",) => 1</span>

<span id="LC5" class="line" lang="plaintext">_gnutls_dnsname_is_valid("167772161",) => 1</span>

<span id="LC6" class="line" lang="plaintext">_gnutls_dnsname_is_valid("fd12:3456:7890::1",) => 0</span>

<span id="LC7" class="line" lang="plaintext">_gnutls_dnsname_is_valid("123.4567.890",) => 1</span>

<span id="LC8" class="line" lang="plaintext">_gnutls_dnsname_is_valid("-www-.example.com",) => 1</span></code></pre>

<copy-code></copy-code>

</div>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">Yet not one of these is acceptable by RFC 6066 (they could not occur in DNS).  Worse, filtering out IPv6 addresses, but not IPv4 addresses could help create issues posed by shadow networks.  As the most likely server implementation will be roughly <code style='font-size: 90%; color: #1f1e24; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; margin-top: 0; font-weight: inherit; font-family: var(--default-mono-font, "GitLab Mono"),"JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>if(find_in_table(sni)) { do_found_thing } else { display_default_unmatched_thing }</code> I think it is likely best to do minimal filtering.</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">The other issue is testing is <strong style="font-weight: 600; margin-top: 0;">only</strong> being done in <code style='font-size: 90%; color: #1f1e24; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: var(--default-mono-font, "GitLab Mono"),"JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>_gnutls_server_name_recv_params()</code> and not <code style='font-size: 90%; color: #1f1e24; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; font-weight: inherit; font-family: var(--default-mono-font, "GitLab Mono"),"JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>_gnutls_server_name_send_params()</code>.  The result is GnuTLS is being liberal in what it sends, conservative in what it accepts.  This is how you destroy interoperability.</p>

<p dir="auto" style="color: #333238; margin: 0;" align="initial">I'm less sure of nul-characters testing in <code style='font-size: 90%; color: #1f1e24; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; margin-top: 0; font-weight: inherit; font-family: var(--default-mono-font, "GitLab Mono"),"JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>_gnutls_server_name_send_params()</code>.  That might be useful for testing <em>other</em> servers and is so broken I'm unsure it is worth bothering with.</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #737278;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699">view it on GitLab</a>.

<br>

You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://gitlab.com">gitlab.com</a>. <a href="https://gitlab.com/-/sent_notifications/26c98373c127ddc3a01362a182d423b0/unsubscribe" target="_blank" rel="noopener noreferrer">Unsubscribe</a> from this thread · <a href="https://gitlab.com/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://gitlab.com/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Merge request","url":"https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699"}}</script>

</p>

</div>

</body>

</html>