On 16/05/14 01:06, Viktor Dukhovni wrote:
> On Fri, May 16, 2014 at 12:17:33AM +0100, Jeremy Harris wrote:
>
>> Created an attachment (id=728)
>> --> (http://bugs.exim.org/attachment.cgi?id=728)
>> prototype patch
>
> You SHOULD NOT join all the altName values with newlines, and then
> split that to recover the altnames.
List joining and splitting in the exim implementation code
preserves embedded separator characters in list elements.
> ASN.1 strings can contain NUL octets, and are not C strings. This
> implementation leaves the potential problem unchecked.
We do not support names with embedded NULs.
The implementation here either converts NULs to #-sequences,
per rfc4514, or treats it as terminating the string. Both
ways are safe.
> Later, for DANE, you'll need to allow multiple names any one of
> which might match the peer certificate.
This isn't DANE. Do you see it as potentially part of a DANE
implementation?
> You also should probably
> support wildcards "*.example.com".
Agreed. The later-version GnuTLS implementation probably does
already as it uses the builtin library routine, but the others
need to.
--
Cheers,
Jeremy
