Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users

Ludwig Nussel ludwig.nussel at suse.de
Tue May 8 15:57:45 CEST 2012


Nikos Mavrogiannopoulos wrote:
> On Tue, May 8, 2012 at 2:46 PM, Ludwig Nussel <ludwig.nussel at suse.de> wrote:
> 
> [...]
>> It supports similar trust settings like NSS though. Check the -addtrust
>> parameter of "openssl x509".
> 
> Are you sure that addtrust doesn't just consult the object identifiers
> present in the certificate?

-addtrust (and -setalias) are independent of the information in the certificate.

crypto/asn1/x_x509a.c:

/* X509_CERT_AUX routines. These are used to encode additional
 * user modifiable data about a certificate. This data is
 * appended to the X509 encoding when the *_X509_AUX routines
 * are used. This means that the "traditional" X509 routines
 * will simply ignore the extra data. 
 */

static X509_CERT_AUX *aux_get(X509 *x);

ASN1_SEQUENCE(X509_CERT_AUX) = {
	ASN1_SEQUENCE_OF_OPT(X509_CERT_AUX, trust, ASN1_OBJECT),
	ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0),
	ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING),
	ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING),
	ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1)
} ASN1_SEQUENCE_END(X509_CERT_AUX)

IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_AUX)


cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 




More information about the Gnutls-help mailing list