please test imminent 2.8.x release

Simon Josefsson simon at josefsson.org
Fri Aug 7 01:49:01 CEST 2009


Because of the NUL in CN/SAN issue we need to release a stable 2.8.x
update quickly.

Please test the release candidate:

http://daily.josefsson.org/gnutls-2.8/gnutls-2.8-20090806.tar.gz

This will be identical with the release unless I hear anything negative.

You can also help by reviewing the changes since 2.8.1:

http://git.savannah.gnu.org/cgit/gnutls.git/log/?h=gnutls_2_8_x

I don't have more spare time to produce releases of older versions with
the patches (this problem came up at bad timing for me, plenty of paying
assignments to work on), but if someone else wants to spend time on
2.6.x or any older release, that would be welcome.  Note that in
addition to the patches that went into 2.8.x you also need to patch the
certificate printing output from gnutls-cli in src/common.c.  GnuTLS
2.8.x and later uses libgnutls to print certificate details instead.

You can use a self-tests from 2.9.x branch to check if your GnuTLS is
vulnerable, see:

http://git.savannah.gnu.org/cgit/gnutls.git/plain/tests/nul-in-x509-names.c

Build and run it like this:

wget http://git.savannah.gnu.org/cgit/gnutls.git/plain/tests/nul-in-x509-names.c
gcc -o nul-in-x509-names nul-in-x509-names.c -lgnutls
./nul-in-x509-names 

On a broken gnutls it will output:

gnutls_x509_crt_check_hostname BROKEN (NUL-IN-CN)
gnutls_x509_crt_check_hostname BROKEN (NUL-IN-SAN)

On a working gnutls it will output:

gnutls_x509_crt_check_hostname OK (NUL-IN-CN)
gnutls_x509_crt_check_hostname OK (NUL-IN-SAN)

/Simon





More information about the Gnutls-devel mailing list