[Help-gnutls] Re: gnutls_x509_crt_check_hostname()

Simon Josefsson simon at josefsson.org
Wed Aug 12 10:53:03 CEST 2009

Daniel Stenberg <daniel at haxx.se> writes:

> On Wed, 12 Aug 2009, Simon Josefsson wrote:
>> Can you post the certificate, or create one that exhibits the same problem?
> Yes I can. I have the luxury of actually being able to repeat this
> problem within the curl test suite (test 311). This test was just
> added and thus made me notice this flaw...
> The exact cerficates used for this test are found here:
> http://cool.haxx.se/cvs.cgi/curl/tests/certs/
> The "Server-localhost0h-sv.pem" is used for the server cert, while
> EdelCurlRoot-ca.crt is the cacert.

Thanks.  The extra spice needed here is that the SAN contains an
embedded NUL.

This is what I feared would happen if we return an error when NUL in
CN/SAN values is discovered: some other code incorrectly uses the error
to mean that there is no valid SAN field at all, and proceeds to check
the CN instead.  Possibly we need to return valid data, but make sure
any NULs are correctly LDAP-escaped.

Maybe we can come up with a simpler solution...


More information about the Gnutls-help mailing list