cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Patches (was Re: Merry Christmas!)

From: Philippe Raoult <phir_at_gcu-squad.org>
Date: Mon, 23 Dec 2002 10:50:10 +0100

On Thu, 19 Dec 2002 14:23:50 +0100 (MET)
Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Thu, 19 Dec 2002, Philippe Raoult wrote:
>
> > I'd like to submit a patch for certificate checking. I had more or less
> > dropped the issue since it's quite low on my priority list (my quick&dirty
> > patch is enough for the use i have), but i will definitely do something
> > before 7.10.3.
>
> Please do.

i just did :)

Since my last patch took a bit of [deserved] flak i'll detail its behavior.
strequal(peer_CN, hostname) is replaced by a host_check function which does
the following:

- sanity checks (NULL arguments and strlen)
- trivial case check (CN == hostname)
- check if CN begins with "*.", which indicates a wildcard certificate
- check that CN has another dot in its name (we dont want *.com certs)
- remove the * and check that peer_cn is a perfect tail match for hostname
(ie peer_cn == a tail substring of hostname)
- check that the part of hostname which wasnt matched does not contain a dot.

i think the checking is now pretty sane. it does not include embedded wildcards
(f*.bar.com, mentionned by Chris) but i dont think anyone actually uses them.
to quote Chris :
<quote>
* To be safe, it should be a real 'domain level' match:
   foo.example.com == *.example.com
   foo.bar.example.com != *.example.com
   foo.example.com.au != *.example.com # important!

On the more thorny issue - many browsers I tried do accept a certificates for
a CN 'domain' that is above than the actual web site URL name (without any
wildcard symbols!):
foo.example.com == example.com
foo.bar.example.com == example.com

</quote>

My patch works as expected for the examples. It does not check the alternate
subject name(s), but it should be pretty easy to add (i dont know how to get
them) since the check is done in a subfunction.

Finally, the patch doesnt break anything but just add the most common and most
safe case of wildcards.

comments & flame welcome :)

regards,
Philippe

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

application/octet-stream attachment: curl-ssl.patch

Received on 2002-12-23

This message: [ Message body ]
Next message: Philippe Raoult: "Re: Patches (was Re: Merry Christmas!)"
Previous message: Legoff Vincent: "timeout with Unix multithread program"
In reply to: Daniel Stenberg: "Patches (was Re: Merry Christmas!)"
Next in thread: Philippe Raoult: "Re: Patches (was Re: Merry Christmas!)"
Reply: Philippe Raoult: "Re: Patches (was Re: Merry Christmas!)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]