Daniel Stenberg <[email protected]> writes: > On Wed, 12 Aug 2009, Simon Josefsson wrote: > >> Can you post the certificate, or create one that exhibits the same problem? > > Yes I can. I have the luxury of actually being able to repeat this > problem within the curl test suite (test 311). This test was just > added and thus made me notice this flaw... > > The exact cerficates used for this test are found here: > http://cool.haxx.se/cvs.cgi/curl/tests/certs/ > > The "Server-localhost0h-sv.pem" is used for the server cert, while > EdelCurlRoot-ca.crt is the cacert.
Thanks. The extra spice needed here is that the SAN contains an embedded NUL. This is what I feared would happen if we return an error when NUL in CN/SAN values is discovered: some other code incorrectly uses the error to mean that there is no valid SAN field at all, and proceeds to check the CN instead. Possibly we need to return valid data, but make sure any NULs are correctly LDAP-escaped. Maybe we can come up with a simpler solution... /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
