[sr #107619] Check hostname of certificate failed with two subdomains in hostname

Sebastien Helleu INVALID.NOREPLY at gnu.org
Tue Mar 8 13:23:24 CET 2011


                 Summary: Check hostname of certificate failed with two
subdomains in hostname
                 Project: GnuTLS
            Submitted by: flashcode
            Submitted on: Tue 08 Mar 2011 01:23:23 PM CET
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: GNU/Linux



I'm WeeChat developer, an irc client, which uses gnutls to connect to irc
When I connect to freenode using SSL, I receive this certificate:

subject `OU=Domain Control Validated,OU=Gandi Standard Wildcard
SSL,CN=*.freenode.net', issuer `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA',
RSA key ...

I call function "gnutls_x509_crt_check_hostname (cert, hostname)" to check
hostname with certificate.

If I connect to chat.freenode.net, the hostname check is ok (*.freenode.net
matches chat.freenode.net).
But if I connect to ipv6.chat.freenode.net, the hostname check failed because
*.freenode.net does NOT match ipv6.chat.freenode.net (according to RFC2818 you
are using in your function).

My question are:
* is it a problem in freenode certificate? 
* is it ok to use rfc2818 in gnutls to check certificate hostname? shouldn't
*.freenode.net match ipv6.chat.freenode.net ?

Last info, I'm using gnutls 2.10.5 (under debian sid).

Thank you for your help.


Reply to this item at:


  Message sent via/by Savannah

More information about the Gnutls-devel mailing list