[sr #107619] Check hostname of certificate failed with two subdomains in hostname

Sebastien Helleu INVALID.NOREPLY at gnu.org
Tue Mar 8 13:23:24 CET 2011


URL:
  <http://savannah.gnu.org/support/?107619>

                 Summary: Check hostname of certificate failed with two
subdomains in hostname
                 Project: GnuTLS
            Submitted by: flashcode
            Submitted on: Tue 08 Mar 2011 01:23:23 PM CET
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: GNU/Linux

    _______________________________________________________

Details:

Hi,
I'm WeeChat developer, an irc client, which uses gnutls to connect to irc
servers.
When I connect to freenode using SSL, I receive this certificate:


subject `OU=Domain Control Validated,OU=Gandi Standard Wildcard
SSL,CN=*.freenode.net', issuer `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA',
RSA key ...


I call function "gnutls_x509_crt_check_hostname (cert, hostname)" to check
hostname with certificate.

If I connect to chat.freenode.net, the hostname check is ok (*.freenode.net
matches chat.freenode.net).
But if I connect to ipv6.chat.freenode.net, the hostname check failed because
*.freenode.net does NOT match ipv6.chat.freenode.net (according to RFC2818 you
are using in your function).

My question are:
* is it a problem in freenode certificate? 
* is it ok to use rfc2818 in gnutls to check certificate hostname? shouldn't
*.freenode.net match ipv6.chat.freenode.net ?

Last info, I'm using gnutls 2.10.5 (under debian sid).

Thank you for your help.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107619>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





More information about the Gnutls-devel mailing list