Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName

Saturday, 16 February 2008

A fix has been committed in the GnuTLS code base.

-------- Original Message --------
Subject: Re: (ITS#5361) cert verification failures with GnuTLS and DNS 
subjectAltName
Date: Fri, 15 Feb 2008 23:11:32 +0200
From: Nikos Mavrogiannopoulos <nmav(a)gnutls.org&gt;
To: Howard Chu <hyc(a)symas.com&gt;
CC: Joe Orton <joe(a)manyfish.co.uk&gt;, gnutls-devel(a)gnu.org
References: <200802100917.m1A9HkSb015171(a)boole.openldap.org&gt; 
<200802152216.25025.nmav(a)gnutls.org&gt; <47B5F843.8080503(a)symas.com&gt;

On Friday 15 February 2008, Howard Chu wrote:

...
 > Anyway, does the attached
 > patch solve your problem?

 Not really. It still returns a size one byte larger than expected for the
 strings. Even in languages where NUL-terminated strings are the norm, the
 terminating byte is not included in the length.

 The point is, we expect this API to return exactly the data that was in the
 certificate. If the caller wants to treat the data as a string, they can
 NUL-terminate it themselves. The manpage only says that the data will be
 returned, it does not say that it will be altered in any way. 
Actually you are right. The return value shouldn't be increased (this also
happens in the other similar functions). I've corrected the patch and
commited at:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=4cc3c6b6e...

regards,
Nikos

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006