curl-library
Re: schannel modifications for WinCE 6
Date: Thu, 11 Sep 2014 22:37:01 +0200
On 11.09.2014 um 14:57 Ben Sutcliffe wrote:
>
>
> - Fix an apparent bug in hostname verification for wildcard
> certs. For *. example.com <http://example.com> from the cert,
> it was comparing ".example.com <http://example.com>" instead
> of " example.com <http://example.com>" against the server's
> hostname
>
>
> Oh, that's not just for the embedded version then is it? It sounds
> significant enough that it is strange that it hasn't already been
> reported...
>
>
> The bug I found was in verify_certificate(), which is only used in the
> WinCE implementation of schannel:
>
> #ifdef _WIN32_WCE
> /* Windows CE doesn't do any server certificate validation.
> We have to do it manually. */
> if(data->set.ssl.verifypeer)
> return verify_certificate(conn, sockindex);
> #endif
I don't think that "*.example.com" should match "example.com".
Please see: http://en.wikipedia.org/wiki/Wildcard_certificate#Example
and the RFC: http://tools.ietf.org/html/rfc6125#section-6.4.3
So the current implementation looks just fine.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-11