Re: [exim-dev] [Bug 1479] hostname check missing when verify…

Top Pagina
Delete this message
Reply to this message
Auteur: Jeremy Harris
Datum:  
Aan: exim-dev
Onderwerp: Re: [exim-dev] [Bug 1479] hostname check missing when verifying X509 certificate
On 16/05/14 01:06, Viktor Dukhovni wrote:
> On Fri, May 16, 2014 at 12:17:33AM +0100, Jeremy Harris wrote:
>
>> Created an attachment (id=728)
>> --> (http://bugs.exim.org/attachment.cgi?id=728)
>> prototype patch
>
> You SHOULD NOT join all the altName values with newlines, and then
> split that to recover the altnames.


List joining and splitting in the exim implementation code
preserves embedded separator characters in list elements.


> ASN.1 strings can contain NUL octets, and are not C strings. This
> implementation leaves the potential problem unchecked.


We do not support names with embedded NULs.

The implementation here either converts NULs to #-sequences,
per rfc4514, or treats it as terminating the string. Both
ways are safe.


> Later, for DANE, you'll need to allow multiple names any one of
> which might match the peer certificate.


This isn't DANE. Do you see it as potentially part of a DANE
implementation?

> You also should probably
> support wildcards "*.example.com".


Agreed. The later-version GnuTLS implementation probably does
already as it uses the builtin library routine, but the others
need to.

-- 
Cheers,
    Jeremy