[Help-gnutls] Re: gnutls_x509_crt_check_hostname()

Simon Josefsson simon at josefsson.org
Thu Aug 13 11:51:13 CEST 2009


Daniel Stenberg <daniel at haxx.se> writes:

> On Wed, 12 Aug 2009, Simon Josefsson wrote:
>
>> Can you post the certificate, or create one that exhibits the same problem?
>
> Yes I can. I have the luxury of actually being able to repeat this
> problem within the curl test suite (test 311). This test was just
> added and thus made me notice this flaw...
>
> The exact cerficates used for this test are found here:
> http://cool.haxx.se/cvs.cgi/curl/tests/certs/
>
> The "Server-localhost0h-sv.pem" is used for the server cert, while
> EdelCurlRoot-ca.crt is the cacert.

Looking into this further, I'm not able to reproduce it...  The code
below, that uses your cert, works for me with 2.8.2.  It appears as if
the patch that went into 2.8.2 to fix the security issue is effective.
Am I doing something wrong?

If you can convert the code into a test that incorrectly fails with
2.8.2 (or upcoming 2.8.3) it will be easier for me to fix it.

jas at mocca:~$ gcc -o test test.c -lgnutls
jas at mocca:~$ ./test
Hostname correctly does not match (0)
jas at mocca:~$ 

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.c
Type: text/x-csrc
Size: 5778 bytes
Desc: not available
URL: </pipermail/attachments/20090813/37264f35/attachment.c>


More information about the Gnutls-help mailing list