cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and nulltermination(fwd)

From: Patrick Monnerat <Patrick.Monnerat_at_datasphere.ch>
Date: Fri, 31 Jul 2009 12:41:33 +0200

Daniel Stenberg wrote:

> The problem is basically that some CAs have allowed zeroes in the name
fields in certs, and the wildcard checking routines like those in
libcurl, assume that the extracted host names are zero terminated and
thus get tricked into verify this certificate for the wrong hosts.

Thanks for the info.
In the case of OS400 SSL, this verification is done by the OS. Thus
either OS400 libcurl is not affected, or at least this potential problem
is beyond libcurl's scope: IBM people's job !
Cheers,
Patrick
Received on 2009-07-31

This message: [ Message body ]
Next message: NCarolina 350: "libcurl tftp large file transfer rollover at 32MB problem"
Previous message: Daniel Stenberg: "RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and null termination(fwd)"
In reply to: Daniel Stenberg: "RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and null termination(fwd)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]