Sorry for the confusion. We initially uploaded the wrong version of the paper and that's something I noticed yesterday. The code was out of sync with the repo on Github. I also changed a few other things while I was at it. Thanks for all the feedback.
2012/10/30 Jeffrey Walton <noloa...@gmail.com>: > On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea > <erwann.aba...@keynectis.com> wrote: >> Where's the failure here? >> hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in >> case of a NULL hostname or certificate it is returned by the function, >> unmodified. > My bad - you were right. I fetched the document again and some parts > were rewritten. The re-written document did not include the function > with HOSTNAME_VALIDATION_ERR. I'm not sure how I missed > hostname_matched was a return variable (I think I zero'd in on the > name, which implied a match). > > Jeff > >> Le 27/10/2012 21:00, Jeffrey Walton a écrit : >> >>> On Sat, Oct 27, 2012 at 11:00 AM, Alban D. <blan...@gmail.com> wrote: >>>> >>>> Hi everyone, >>>> >>>> iSEC Partners just released a paper that provides detailed guidelines >>>> and sample code on how to properly do certificate validation with >>>> OpenSSL: >>>> >>>> http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html >>>> >>>> It is not trivial and so I thought this reference material could be >>>> useful to people on this mailing list. >>> >>> ] int validate_hostname(char *hostname, X509 *server_cert) { >>> ] int hostname_matched = HOSTNAME_VALIDATION_ERR; >>> ] if((hostname == NULL) || (server_cert == NULL)) >>> ] goto error; >>> ] ... >>> ] error: >>> ] return hostname_matched; >>> ] } >>> You failed open rather than closed. Its not a good choice of >>> strategies for high integrity software. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
