A longstanding GnuTLS certificate validation botch
Posted Mar 6, 2014 9:15 UTC (Thu) by nowster (subscriber, #67)
Posted Mar 6, 2014 11:41 UTC (Thu) by mathstuf (subscriber, #69389)
Posted Mar 8, 2014 18:51 UTC (Sat) by ametlwn (subscriber, #10544)
"It turns out that their corresponding set_subject_alt_name() API only takes a char * pointer as input, without a corresponding length. As such, this API will only work for string-form alternative names, and will typically break with IP addresses and other alternatives."
* @crt: a certificate of type #gnutls_x509_crt_t
* @type: is one of the gnutls_x509_subject_alt_name_t enumerations
const void *data,
unsigned int data_size,
unsigned int flags)
* Since: 2.6.0
* @GNUTLS_SAN_DNSNAME: DNS-name SAN.
* @GNUTLS_SAN_RFC822NAME: E-mail address SAN.
* @GNUTLS_SAN_URI: URI SAN.
* @GNUTLS_SAN_IPADDRESS: IP address SAN.
* @GNUTLS_SAN_OTHERNAME: OtherName SAN.
* @GNUTLS_SAN_DN: DN SAN.
* @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by
* Enumeration of different subject alternative names types.
2.6.0 was released 2008-10-06, about 6 months after the abovementioned comment. So, looking at/quoting 6 year old comments indeed seems to be rather pointless.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds