[gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon May 20 08:20:05 CEST 2024
Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911979910
Elliott Mitchell commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699
> There are actually 2 distinct issues here. First, `_gnutls_dnsname_is_valid()` is rather inconsistent in what it accepts.
[...]
> The other issue is testing is **only** being done in `_gnutls_server_name_recv_params()` and not `_gnutls_server_name_send_params()`. The result is GnuTLS is being liberal in what it sends, conservative in what it accepts. This is how you destroy interoperability.
[...]
Yessish. However you proposed to solve both issues by "dropping the checking". My question was whether this was the correct solution.
To my eyes nowadays decreasing enforcement of RFC-compliance on the server side seems quite strange. Usually nowadays one tries to decrease complexity and attack surface.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911979910
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240520/7425e5d8/attachment.html>
More information about the Gnutls-devel
mailing list