[EMAIL PROTECTED] wrote: > Full_Name: Steve Langasek > Version: 2.4.7 > OS: Debian > URL: http://people.ubuntu.com/~vorlon/gnutls-altname-nulterminated.patch > Submission from: (NULL) (2001:4830:1244:0:219:d2ff:fe76:2acb) > > > When built with GnuTLS, libldap fails to correctly verify DNS hostnames > against > the subjectAltName field of the provided certificate. The reason for this is > that, while the "length" that gnutls returns for the CN is equal to the > strlen(), the length returned by gnutls_x509_crt_get_subject_alt_name() > includes > a trailing NUL. > > I have verified that the referenced patch corrects this for the case of > non-wildcard DNS subjectAltName values. I have not tested the code for the > wildcarded case, though it seems likely that the same bug applies there and > will > need to be fixed.
I cannot duplicate this error with GnuTLS 1.7.8 or 1.7.9. The altname length that is returned just includes the non-NUL characters. Note that all of libldap's TLS functionality was tested and working with GnuTLS 1.7. What version are you using? It seems to me that if your version of GnuTLS is indeed behaving this way, then it's a GnuTLS bug, since in C, the length of a string never includes the trailing NUL. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
