[gnutls-devel] GnuTLS | server_name: synchronize server name send/receive (remove dns check) (!1838)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon May 20 08:20:05 CEST 2024




Andreas Metzler commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911979910


Elliott Mitchell commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911798699
> There are actually 2 distinct issues here.  First, `_gnutls_dnsname_is_valid()` is rather inconsistent in what it accepts.

[...]
> The other issue is testing is **only** being done in `_gnutls_server_name_recv_params()` and not `_gnutls_server_name_send_params()`.  The result is GnuTLS is being liberal in what it sends, conservative in what it accepts.  This is how you destroy interoperability.
[...]

Yessish. However you proposed to solve both issues by "dropping the checking". My question was whether this was the correct solution.

To my eyes nowadays decreasing enforcement of RFC-compliance on the server side seems quite strange. Usually nowadays one tries to decrease complexity and attack surface.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1838#note_1911979910
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240520/7425e5d8/attachment.html>


More information about the Gnutls-devel mailing list