On 16/05/14 01:06, Viktor Dukhovni wrote:
On Fri, May 16, 2014 at 12:17:33AM +0100, Jeremy Harris wrote:
Created an attachment (id=728)
--> (http://bugs.exim.org/attachment.cgi?id=728)
prototype patch
You SHOULD NOT join all the altName values with newlines, and then
split that to recover the altnames.
List joining and splitting in the exim implementation code
preserves embedded separator characters in list elements.
ASN.1 strings can contain NUL octets, and are not C strings. This
implementation leaves the potential problem unchecked.
We do not support names with embedded NULs.
The implementation here either converts NULs to #-sequences,
per rfc4514, or treats it as terminating the string. Both
ways are safe.
Later, for DANE, you'll need to allow multiple names any one of
which might match the peer certificate.
This isn't DANE. Do you see it as potentially part of a DANE
implementation?
You also should probably
support wildcards "*.example.com".
Agreed. The later-version GnuTLS implementation probably does
already as it uses the builtin library routine, but the others
need to.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
