[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAlt
From: |
Joe Orton |
Subject: |
Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName |
Date: |
Thu, 14 Feb 2008 22:34:50 +0000 |
User-agent: |
Mutt/1.5.17 (2007-11-01) |
On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote:
> Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result
> you're seeing. The change is here:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048
>
> and it is clearly a bug, since subjectAltName's are not necessarily
> strings. (E.g., they can also be IP addresses, which are just 4 or 16
> octets.) If you notice in the diff, they set
> *name_size = len + 1;
> and then later
> name[len] = 0;
> but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they
> can cause a write past the end of the supplied buffer.
>
> This patch should be reverted, it is clearly wrong.
FWIW, I agree. neon's test cases for subjectAltName support are
breaking with 2.3.0 as well. Reverting the changeset Howard referenced
fixes the issues.
joe
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Howard Chu, 2008/02/11
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName,
Joe Orton <=
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Nikos Mavrogiannopoulos, 2008/02/15
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Howard Chu, 2008/02/16
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Nikos Mavrogiannopoulos, 2008/02/15
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Howard Chu, 2008/02/16
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Nikos Mavrogiannopoulos, 2008/02/15
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Howard Chu, 2008/02/16
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Andreas Metzler, 2008/02/17
- Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName, Nikos Mavrogiannopoulos, 2008/02/17