[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName

steve.langasek@canonical.com wrote:
> Full_Name: Steve Langasek
> Version: 2.4.7
> OS: Debian
> URL: http://people.ubuntu.com/~vorlon/gnutls-altname-nulterminated.patch
> Submission from: (NULL) (2001:4830:1244:0:219:d2ff:fe76:2acb)
> When built with GnuTLS, libldap fails to correctly verify DNS hostnames against
> the subjectAltName field of the provided certificate.  The reason for this is
> that, while the "length" that gnutls returns for the CN is equal to the
> strlen(), the length returned by gnutls_x509_crt_get_subject_alt_name() includes
> a trailing NUL.
> I have verified that the referenced patch corrects this for the case of
> non-wildcard DNS subjectAltName values.  I have not tested the code for the
> wildcarded case, though it seems likely that the same bug applies there and will
> need to be fixed.

I cannot duplicate this error with GnuTLS 1.7.8 or 1.7.9. The altname length 
that is returned just includes the non-NUL characters. Note that all of 
libldap's TLS functionality was tested and working with GnuTLS 1.7. What 
version are you using? It seems to me that if your version of GnuTLS is indeed 
behaving this way, then it's a GnuTLS bug, since in C, the length of a string 
never includes the trailing NUL.
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/