[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAlt

From: Howard Chu
Subject: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
Date: Fri, 15 Feb 2008 12:38:27 -0800
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre

Nikos Mavrogiannopoulos wrote:
On Friday 15 February 2008, Howard Chu wrote:
Nikos Mavrogiannopoulos wrote:
Indeed I'll try to improve this patch to work only for formats known
to be text.
The code was perfectly correct before this patch. Why do you want to change
anything here at all? I looked in the gnutls-devel archives and couldn't
find any discussion of this change. It would be nice to understand what
you're trying to accomplish here, given that there are large bodies of code
already written that expect the existing behavior of GnuTLS 2.1.7 and

Well, it depends on the definition of correct. It didn't null terminate
printable strings, and this was so correct for me.

Fair enough, that's your definition. Most people coding for X.509 understand that it's ASN.1/DER and as such, they're accustomed to the fact that strings use counted lengths, not NUL terminators. As such, the old behavior was normal and expected. Also, the behavior you introduce here makes this particular API behave differently from every other API that extracts strings from certificates. Note - this is not a suggestion to you to now go and change all those other APIs.

Anyway, does the attached
patch solve your problem?

Not really. It still returns a size one byte larger than expected for the strings. Even in languages where NUL-terminated strings are the norm, the terminating byte is not included in the length.

The point is, we expect this API to return exactly the data that was in the certificate. If the caller wants to treat the data as a string, they can NUL-terminate it themselves. The manpage only says that the data will be returned, it does not say that it will be altered in any way.

  -- Howard Chu
  Chief Architect, Symas Corp.
  Director, Highland Sun
  Chief Architect, OpenLDAP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]