On Sunday 19 December 2010, Dr Stephen Henson wrote: > On 29/11/2010 19:34, Dr Stephen Henson wrote: > > You can get a UTF8String from most string types using > > ASN1_STRING_to_UTF8(). This should be adequate for most > > purposes: it doesn't handle the more bizarre TeletexString shift > > conversions but those are rarely encountered in practice. > > I should have also included a note of warning about > ASN1_STRING_to_UTF8(). You cannot safely assume that the result > will be a null terminated string as many ASN1 string types can > include embedded nulls: this can have security implications in > some cases.
You mean someone could make a certificate with a CN of foo.apache.org\0evil.com but the CN variable would then only contain foo.apache.org? I think we can safely assume that any certificate that contains an embedded null after converting to UTF8 is malicious. Can we reject such certificates somehow? Should we close the connection if we see such a thing in ssl_var_lookup_ssl_cert? Or should we try to escape the 0-byte in the variable?