curl-library
RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and nulltermination(fwd)
From: Patrick Monnerat <Patrick.Monnerat_at_datasphere.ch>
Date: Fri, 31 Jul 2009 12:41:33 +0200
Date: Fri, 31 Jul 2009 12:41:33 +0200
Daniel Stenberg wrote:
> The problem is basically that some CAs have allowed zeroes in the name
fields in certs, and the wildcard checking routines like those in
libcurl, assume that the extracted host names are zero terminated and
thus get tricked into verify this certificate for the wrong hosts.
Thanks for the info.
In the case of OS400 SSL, this verification is done by the OS. Thus
either OS400 libcurl is not affected, or at least this potential problem
is beyond libcurl's scope: IBM people's job !
Cheers,
Patrick
Received on 2009-07-31