Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
Sorry for the confusion.
We initially uploaded the wrong version of the paper and that's
something I noticed yesterday.
The code was out of sync with the repo on Github. I also changed a few
other things while I was at it.
Thanks for all the feedback.
2012/10/30 Jeffrey Walton :
> On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea
> wrote:
>> Where's the failure here?
>> hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in
>> case of a NULL hostname or certificate it is returned by the function,
>> unmodified.
> My bad - you were right. I fetched the document again and some parts
> were rewritten. The re-written document did not include the function
> with HOSTNAME_VALIDATION_ERR. I'm not sure how I missed
> hostname_matched was a return variable (I think I zero'd in on the
> name, which implied a match).
>
> Jeff
>
>> Le 27/10/2012 21:00, Jeffrey Walton a écrit :
>>
>>> On Sat, Oct 27, 2012 at 11:00 AM, Alban D. wrote:
Hi everyone,
iSEC Partners just released a paper that provides detailed guidelines
and sample code on how to properly do certificate validation with
OpenSSL:
http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html
It is not trivial and so I thought this reference material could be
useful to people on this mailing list.
>>>
>>> ] int validate_hostname(char *hostname, X509 *server_cert) {
>>> ] int hostname_matched = HOSTNAME_VALIDATION_ERR;
>>> ] if((hostname == NULL) || (server_cert == NULL))
>>> ] goto error;
>>> ] ...
>>> ] error:
>>> ] return hostname_matched;
>>> ] }
>>> You failed open rather than closed. Its not a good choice of
>>> strategies for high integrity software.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea
wrote:
> Where's the failure here?
> hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in
> case of a NULL hostname or certificate it is returned by the function,
> unmodified.
My bad - you were right. I fetched the document again and some parts
were rewritten. The re-written document did not include the function
with HOSTNAME_VALIDATION_ERR. I'm not sure how I missed
hostname_matched was a return variable (I think I zero'd in on the
name, which implied a match).
Jeff
> Le 27/10/2012 21:00, Jeffrey Walton a écrit :
>
>> On Sat, Oct 27, 2012 at 11:00 AM, Alban D. wrote:
>>>
>>> Hi everyone,
>>>
>>> iSEC Partners just released a paper that provides detailed guidelines
>>> and sample code on how to properly do certificate validation with
>>> OpenSSL:
>>>
>>> http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html
>>>
>>> It is not trivial and so I thought this reference material could be
>>> useful to people on this mailing list.
>>
>> ] int validate_hostname(char *hostname, X509 *server_cert) {
>> ] int hostname_matched = HOSTNAME_VALIDATION_ERR;
>> ] if((hostname == NULL) || (server_cert == NULL))
>> ] goto error;
>> ] ...
>> ] error:
>> ] return hostname_matched;
>> ] }
>> You failed open rather than closed. Its not a good choice of
>> strategies for high integrity software.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea
wrote:
> Where's the failure here?
> hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in
> case of a NULL hostname or certificate it is returned by the function,
> unmodified.
HOSTNAME_VALIDATION_ERR is not mentioned in
https://github.com/iSECPartners/ssl-conservatory/raw/master/everything-you-wanted-to-know-about-openssl.pdf.
Jeff
> Le 27/10/2012 21:00, Jeffrey Walton a écrit :
>
>> On Sat, Oct 27, 2012 at 11:00 AM, Alban D. wrote:
>>>
>>> Hi everyone,
>>>
>>> iSEC Partners just released a paper that provides detailed guidelines
>>> and sample code on how to properly do certificate validation with
>>> OpenSSL:
>>>
>>> http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html
>>>
>>> It is not trivial and so I thought this reference material could be
>>> useful to people on this mailing list.
>>
>> ] int validate_hostname(char *hostname, X509 *server_cert) {
>> ] int hostname_matched = HOSTNAME_VALIDATION_ERR;
>> ] if((hostname == NULL) || (server_cert == NULL))
>> ] goto error;
>> ] ...
>> ] error:
>> ] return hostname_matched;
>> ] }
>> You failed open rather than closed. Its not a good choice of
>> strategies for high integrity software.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
Where's the failure here?
hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization,
and in case of a NULL hostname or certificate it is returned by the
function, unmodified.
--
Erwann ABALEA
Le 27/10/2012 21:00, Jeffrey Walton a écrit :
On Sat, Oct 27, 2012 at 11:00 AM, Alban D. wrote:
Hi everyone,
iSEC Partners just released a paper that provides detailed guidelines
and sample code on how to properly do certificate validation with
OpenSSL:
http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html
It is not trivial and so I thought this reference material could be
useful to people on this mailing list.
] int validate_hostname(char *hostname, X509 *server_cert) {
] int hostname_matched = HOSTNAME_VALIDATION_ERR;
] if((hostname == NULL) || (server_cert == NULL))
] goto error;
] ...
] error:
] return hostname_matched;
] }
You failed open rather than closed. Its not a good choice of
strategies for high integrity software.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
