[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName

To: openldap-its@OpenLDAP.org
Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
From: steve.langasek@canonical.com
Date: Sat, 9 Feb 2008 02:45:08 GMT

Full_Name: Steve Langasek
Version: 2.4.7
OS: Debian
URL: http://people.ubuntu.com/~vorlon/gnutls-altname-nulterminated.patch
Submission from: (NULL) (2001:4830:1244:0:219:d2ff:fe76:2acb)


When built with GnuTLS, libldap fails to correctly verify DNS hostnames against
the subjectAltName field of the provided certificate.  The reason for this is
that, while the "length" that gnutls returns for the CN is equal to the
strlen(), the length returned by gnutls_x509_crt_get_subject_alt_name() includes
a trailing NUL.

I have verified that the referenced patch corrects this for the case of
non-wildcard DNS subjectAltName values.  I have not tested the code for the
wildcarded case, though it seems likely that the same bug applies there and will
need to be fixed.

Prev by Date: (ITS#5360) wrong default for TLSVerifyClient (with GnuTLS?)
Next by Date: Re: (ITS#5344) Wrong check for bad Modify DN
Index(es):
- Chronological
- Thread