On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea <erwann.aba...@keynectis.com> wrote: > Where's the failure here? > hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in > case of a NULL hostname or certificate it is returned by the function, > unmodified. My bad - you were right. I fetched the document again and some parts were rewritten. The re-written document did not include the function with HOSTNAME_VALIDATION_ERR. I'm not sure how I missed hostname_matched was a return variable (I think I zero'd in on the name, which implied a match).
Jeff > Le 27/10/2012 21:00, Jeffrey Walton a écrit : > >> On Sat, Oct 27, 2012 at 11:00 AM, Alban D. <blan...@gmail.com> wrote: >>> >>> Hi everyone, >>> >>> iSEC Partners just released a paper that provides detailed guidelines >>> and sample code on how to properly do certificate validation with >>> OpenSSL: >>> >>> http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html >>> >>> It is not trivial and so I thought this reference material could be >>> useful to people on this mailing list. >> >> ] int validate_hostname(char *hostname, X509 *server_cert) { >> ] int hostname_matched = HOSTNAME_VALIDATION_ERR; >> ] if((hostname == NULL) || (server_cert == NULL)) >> ] goto error; >> ] ... >> ] error: >> ] return hostname_matched; >> ] } >> You failed open rather than closed. Its not a good choice of >> strategies for high integrity software. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
