On Sat, May 18, 2024 at 06:55:06AM +0200, Andreas Metzler wrote: > On 2024-05-17 Elliott Mitchell <ehem+deb...@m5p.com> wrote: > > On Thu, May 16, 2024 at 07:06:49PM -0700, Elliott Mitchell wrote: > > > On Tue, May 14, 2024 at 06:22:09PM +0200, Andreas Metzler wrote: > [...] > > > > Could you please post the requested output, although there are no > > > > obvious clues there to your eyes? > > > > > > Problem is that provides rather a lot of data about this network setup. > > > The quantity of information is enough for me to be rather uncomfortable > > > with providing it via public channel. > [...] > > > > I notice the `_gnutls_dnsname_is_valid()` function in > > > gnutls28-3.8.5/lib/str.h accepts IPv4 addresses (which are NOT valid in > > > DNS), but rejects IPv6 addresses.
> At a very bare level an IPv4 address is a valid DNS name (alnum, dashes, > and dots), an IPv6 adress is not. That is what gnutls is checking here. No, there isn't any IPv4 address which is a valid DNS name. No top-level domain consists purely of decimal digits, whereas IPv4 addresses consist of purely decimal digits. In fact I don't believe there are any top-level domains which have even a single decimal digit in them. > Afaict it is a short-cut to save more expensive processing for obvious > errors. gnutls_session_get_verify_cert_status() (with > gnutls_session_set_verify_cert() set correctly) or > gnutls_x509_crt_check_hostname()/gnutls_certificate_verify_peers3() > does more elaborate stuff on the data, > gnutls_certificate_verify_peers2() requires a separate > gnutls_x509_crt_check_hostname(). Which seems to argue the more urgent issue is _gnutls_server_name_send_params() needs to do checking of the provided server hostname before sending it as SNI. I've got an initial implementation of this here, but I'm left wondering how far verification should go. -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | ehem+sig...@m5p.com PGP 87145445 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ 8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
