cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and null termination(fwd)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 1 Aug 2009 10:17:03 +0200 (CEST)

On Fri, 31 Jul 2009, Daniel Stenberg wrote:

> The problem is basically that some CAs have allowed zeroes in the name
> fields in certs, and the wildcard checking routines like those in libcurl,
> assume that the extracted host names are zero terminated and thus get
> tricked into verify this certificate for the wrong hosts.

Okay friends, here's my take at adressing this issue. It only applies to code
using OpenSSL.

We don't have any test case for this issue or even the legitimate wildcard
alternative name feature, so I would really appreciate some eyeballs on this
and if possible someone could test this with a local setup in case you
actually DO know of a site that uses things like this.

-- 
  / daniel.haxx.se

Received on 2009-08-01