Sorry for the confusion.
We initially uploaded the wrong version of the paper and that's
something I noticed yesterday.
The code was out of sync with the repo on Github. I also changed a few
other things while I was at it.
Thanks for all the feedback.
2012/10/30 Jeffrey Walton noloa...@gmail.com:
On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea
erwann.aba...@keynectis.com wrote:
Where's the failure here?
hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in
case of a NULL hostname or certificate it is returned by the function,
unmodified.
My bad - you were right. I fetched the document again and some parts
were rewritten. The re-written document did not include the function
with HOSTNAME_VALIDATION_ERR. I'm not sure how I missed
hostname_matched was a return variable (I think I zero'd in on the
name, which implied a match).
Jeff
Le 27/10/2012 21:00, Jeffrey Walton a écrit :
On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote:
Hi everyone,
iSEC Partners just released a paper that provides detailed guidelines
and sample code on how to properly do certificate validation with
OpenSSL:
http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html
It is not trivial and so I thought this reference material could be
useful to people on this mailing list.
] int validate_hostname(char *hostname, X509 *server_cert) {
] int hostname_matched = HOSTNAME_VALIDATION_ERR;
] if((hostname == NULL) || (server_cert == NULL))
] goto error;
] ...
] error:
] return hostname_matched;
] }
You failed open rather than closed. Its not a good choice of
strategies for high integrity software.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org