User: Password:
|
|
Subscribe / Log in / New account

A longstanding GnuTLS certificate validation botch

A longstanding GnuTLS certificate validation botch

Posted Mar 5, 2014 16:49 UTC (Wed) by SEJeff (subscriber, #51588)
Parent article: A longstanding GnuTLS certificate validation botch

Kind of telling critique (rightfully so) of GnuTLS's code quality and overall design from Howard Chu, the chief architect behind OpenLDAP:

http://www.openldap.org/lists/openldap-devel/200802/msg00...


(Log in to post comments)

A longstanding GnuTLS certificate validation botch

Posted Mar 6, 2014 9:15 UTC (Thu) by nowster (subscriber, #67) [Link]

That was six years ago. Has that report been acted on in the meantime?

A longstanding GnuTLS certificate validation botch

Posted Mar 6, 2014 11:41 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

Given the age of this bug…I'm going to venture "no".

A longstanding GnuTLS certificate validation botch

Posted Mar 8, 2014 18:51 UTC (Sat) by ametlwn (subscriber, #10544) [Link]

Taking a look at the first complaint:

"It turns out that their corresponding set_subject_alt_name() API only takes a char * pointer as input, without a corresponding length. As such, this API will only work for string-form alternative names, and will typically break with IP addresses and other alternatives."

* gnutls_x509_crt_set_subject_alt_name:
* @crt: a certificate of type #gnutls_x509_crt_t
* @type: is one of the gnutls_x509_subject_alt_name_t enumerations
[...]
gnutls_x509_crt_set_subject_alt_name(gnutls_x509_crt_t crt,
gnutls_x509_subject_alt_name_t type,
const void *data,
unsigned int data_size,
unsigned int flags)

[...]
* Since: 2.6.0
[...]
/**
* gnutls_x509_subject_alt_name_t:
* @GNUTLS_SAN_DNSNAME: DNS-name SAN.
* @GNUTLS_SAN_RFC822NAME: E-mail address SAN.
* @GNUTLS_SAN_URI: URI SAN.
* @GNUTLS_SAN_IPADDRESS: IP address SAN.
* @GNUTLS_SAN_OTHERNAME: OtherName SAN.
* @GNUTLS_SAN_DN: DN SAN.
* @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by
* gnutls_x509_crt_get_subject_alt_othername_oid.
*
* Enumeration of different subject alternative names types.
*/
[...]

2.6.0 was released 2008-10-06, about 6 months after the abovementioned comment. So, looking at/quoting 6 year old comments indeed seems to be rather pointless.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds