[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName

Full_Name: Steve Langasek
Version: 2.4.7
OS: Debian
URL: http://people.ubuntu.com/~vorlon/gnutls-altname-nulterminated.patch
Submission from: (NULL) (2001:4830:1244:0:219:d2ff:fe76:2acb)

When built with GnuTLS, libldap fails to correctly verify DNS hostnames against
the subjectAltName field of the provided certificate.  The reason for this is
that, while the "length" that gnutls returns for the CN is equal to the
strlen(), the length returned by gnutls_x509_crt_get_subject_alt_name() includes
a trailing NUL.

I have verified that the referenced patch corrects this for the case of
non-wildcard DNS subjectAltName values.  I have not tested the code for the
wildcarded case, though it seems likely that the same bug applies there and will
need to be fixed.