[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fwd: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subj
|
From: |
Howard Chu |
|
Subject: |
[Fwd: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName] |
|
Date: |
Sun, 10 Feb 2008 02:11:51 -0800 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre |
For context, the full bug report is here
http://www.openldap.org/its/index.cgi/Incoming?id=5361
-------- Original Message --------
Subject: Re: (ITS#5361) cert verification failures with GnuTLS and DNS
subjectAltName
Date: Sun, 10 Feb 2008 09:17:46 GMT
From: address@hidden
To: address@hidden
Steve Langasek wrote:
On Sat, Feb 09, 2008 at 11:04:18PM -0800, Howard Chu wrote:
I cannot duplicate this error with GnuTLS 1.7.8 or 1.7.9. The altname
length that is returned just includes the non-NUL characters. Note that
all of libldap's TLS functionality was tested and working with GnuTLS
1.7. What version are you using?
Reproduced with GnuTLS 2.0.4 and GnuTLS 2.2.1.
It seems to me that if your version of GnuTLS is indeed behaving this way,
then it's a GnuTLS bug, since in C, the length of a string never includes
the trailing NUL.
It's true that the /length/ of a string doesn't include the trailing NUL,
but it does have to be included in the storage /size/ of a C string, and
it's debatable which is intended here.
Since this is an ASN.1 structure, one would ordinarily not expect any NUL
termination in the first place. And since other GnuTLS library functions are
returning the raw data size, excluding any trailing NUL, the behavior you're
seeing here is pretty suspicious.
Given that one of the errors
returned by gnutls_x509_crt_get_subject_alt_name() is
GNUTLS_E_SHORT_MEMORY_BUFFER, it seems obvious to me that this should use
semantics for storage size rather than string length, and the only question
in my mind is whether the trailing NUL is included as part of the internal
representation of the string.
If this is a behavior change as you say, then I guess we need clarification
from GnuTLS upstream about whether this is intentional.
That sounds like the best step for now. Just to be sure, how was the
certificate created? Have you verified that libldap with OpenSSL accepts the
certificate correctly? So far it sounds just as likely to me that your
subjectAltName actually includes a trailing NUL in its data. ASN.1 structures
don't use NUL-terminated strings here, the DER form requires definite lengths
to be encoded up front.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Fwd: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName],
Howard Chu <=