Full_Name: Steve Langasek Version: 2.4.7 OS: Debian URL: http://people.ubuntu.com/~vorlon/gnutls-altname-nulterminated.patch Submission from: (NULL) (2001:4830:1244:0:219:d2ff:fe76:2acb)
When built with GnuTLS, libldap fails to correctly verify DNS hostnames against the subjectAltName field of the provided certificate. The reason for this is that, while the "length" that gnutls returns for the CN is equal to the strlen(), the length returned by gnutls_x509_crt_get_subject_alt_name() includes a trailing NUL.
I have verified that the referenced patch corrects this for the case of non-wildcard DNS subjectAltName values. I have not tested the code for the wildcarded case, though it seems likely that the same bug applies there and will need to be fixed.