[Help-gnutls] Re: GnuTLS 2.8.2

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: GnuTLS 2.8.2

From:	Simon Josefsson
Subject:	[Help-gnutls] Re: GnuTLS 2.8.2
Date:	Wed, 12 Aug 2009 10:54:34 +0200
User-agent:	Gnus/5.110011 (No Gnus v0.11) Emacs/23.1.50 (gnu/linux)

Jeff Cai <address@hidden> writes:

>> What's New
>> ==========
>> 
>> ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
>> By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
>> into 1) not printing the entire CN/SAN field value when printing a
>> certificate and 2) cause incorrect positive matches when matching a
>> hostname against a certificate.  Some CAs apparently have poor
>> checking of CN/SAN values and issue these (arguable invalid)
>> certificates.  Combined, this can be used by attackers to become a
>> MITM on server-authenticated TLS sessions.  The problem is mitigated
>> since attackers needs to get one certificate per site they want to
>> attack, and the attacker reveals his tracks by applying for a
>> certificate at the CA.  It does not apply to client authenticated TLS
>> sessions.  Research presented independently by Dan Kaminsky and Moxie
>> Marlinspike at BlackHat09.  Thanks to Tomas Hoger <address@hidden>
>> for providing one part of the patch.  [GNUTLS-SA-2009-4].
>
> How is it affecting old versions of gnutls like 2.6 and 2.4? Do they
> also need a patch applied if not upgrading them?

Yes.  I believe all earlier versions are affected.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] GnuTLS 2.8.2, Simon Josefsson, 2009/08/10
- Message not available
  - [Help-gnutls] Re: GnuTLS 2.8.2, Simon Josefsson <=

Prev by Date: [Help-gnutls] Re: gnutls_x509_crt_check_hostname()
Next by Date: [Help-gnutls] Re: gnutls_x509_crt_check_hostname()
Previous by thread: [Help-gnutls] GnuTLS 2.8.2
Next by thread: [Help-gnutls] gnutls_x509_crt_check_hostname()
Index(es):
- Date
- Thread