(ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
hyc at symas.com
Fri Feb 15 21:38:27 CET 2008
Nikos Mavrogiannopoulos wrote:
> On Friday 15 February 2008, Howard Chu wrote:
>> Nikos Mavrogiannopoulos wrote:
>>> Indeed I'll try to improve this patch to work only for formats known
>>> to be text.
>> The code was perfectly correct before this patch. Why do you want to change
>> anything here at all? I looked in the gnutls-devel archives and couldn't
>> find any discussion of this change. It would be nice to understand what
>> you're trying to accomplish here, given that there are large bodies of code
>> already written that expect the existing behavior of GnuTLS 2.1.7 and
> Well, it depends on the definition of correct. It didn't null terminate
> printable strings, and this was so correct for me.
Fair enough, that's your definition. Most people coding for X.509 understand
that it's ASN.1/DER and as such, they're accustomed to the fact that strings
use counted lengths, not NUL terminators. As such, the old behavior was normal
and expected. Also, the behavior you introduce here makes this particular API
behave differently from every other API that extracts strings from
certificates. Note - this is not a suggestion to you to now go and change all
those other APIs.
> Anyway, does the attached
> patch solve your problem?
Not really. It still returns a size one byte larger than expected for the
strings. Even in languages where NUL-terminated strings are the norm, the
terminating byte is not included in the length.
The point is, we expect this API to return exactly the data that was in the
certificate. If the caller wants to treat the data as a string, they can
NUL-terminate it themselves. The manpage only says that the data will be
returned, it does not say that it will be altered in any way.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Gnutls-devel