[Help-gnutls] Re: gnutls_x509_crt_check_hostname()

[Simon Josefsson]

Daniel Stenberg <daniel at haxx.se> writes:

> Hey gnutls'ers!
>
> When I pass a cert and a hostname to the
> gnutls_x509_crt_check_hostname() function (I'm using 2.8.1-2 on a
> Debian Linux here), I'm seeing a problem I'd like your feedback on!
>
> If the server cert has a subjectAltName field that doesn't match, but
> also a CN that matches, it seems this function happily returns OK. The
> way I'm reading RFC2818, that's not what it is supposed to do:
>
>     If a subjectAltName extension of type dNSName is present, that MUST
>     be used as the identity. Otherwise, the (most specific) Common Name
>     field in the Subject field of the certificate MUST be used.
>
> Am I wrong?

I agree with you.

Looking at the code, though, it seems that at a first glance both the
comments and the code suggests that this situation is taken into
account.  I've noticed that the code fails to check return values, so a
corrupt SAN might be skipped, but I'm not sure if that applies in your
situation.

Can you post the certificate, or create one that exhibits the same
problem?

We'll need to do a 2.8.3 shortly so if there is another problem in this
area, it would be nice to fix it at the same time.

/Simon