Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
Sorry for the confusion. We initially uploaded the wrong version of the paper and that's something I noticed yesterday. The code was out of sync with the repo on Github. I also changed a few other things while I was at it. Thanks for all the feedback. 2012/10/30 Jeffrey Walton : > On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea > wrote: >> Where's the failure here? >> hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in >> case of a NULL hostname or certificate it is returned by the function, >> unmodified. > My bad - you were right. I fetched the document again and some parts > were rewritten. The re-written document did not include the function > with HOSTNAME_VALIDATION_ERR. I'm not sure how I missed > hostname_matched was a return variable (I think I zero'd in on the > name, which implied a match). > > Jeff > >> Le 27/10/2012 21:00, Jeffrey Walton a écrit : >> >>> On Sat, Oct 27, 2012 at 11:00 AM, Alban D. wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. >>> >>> ] int validate_hostname(char *hostname, X509 *server_cert) { >>> ] int hostname_matched = HOSTNAME_VALIDATION_ERR; >>> ] if((hostname == NULL) || (server_cert == NULL)) >>> ] goto error; >>> ] ... >>> ] error: >>> ] return hostname_matched; >>> ] } >>> You failed open rather than closed. Its not a good choice of >>> strategies for high integrity software. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea wrote: > Where's the failure here? > hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in > case of a NULL hostname or certificate it is returned by the function, > unmodified. My bad - you were right. I fetched the document again and some parts were rewritten. The re-written document did not include the function with HOSTNAME_VALIDATION_ERR. I'm not sure how I missed hostname_matched was a return variable (I think I zero'd in on the name, which implied a match). Jeff > Le 27/10/2012 21:00, Jeffrey Walton a écrit : > >> On Sat, Oct 27, 2012 at 11:00 AM, Alban D. wrote: >>> >>> Hi everyone, >>> >>> iSEC Partners just released a paper that provides detailed guidelines >>> and sample code on how to properly do certificate validation with >>> OpenSSL: >>> >>> http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html >>> >>> It is not trivial and so I thought this reference material could be >>> useful to people on this mailing list. >> >> ] int validate_hostname(char *hostname, X509 *server_cert) { >> ] int hostname_matched = HOSTNAME_VALIDATION_ERR; >> ] if((hostname == NULL) || (server_cert == NULL)) >> ] goto error; >> ] ... >> ] error: >> ] return hostname_matched; >> ] } >> You failed open rather than closed. Its not a good choice of >> strategies for high integrity software. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea wrote: > Where's the failure here? > hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in > case of a NULL hostname or certificate it is returned by the function, > unmodified. HOSTNAME_VALIDATION_ERR is not mentioned in https://github.com/iSECPartners/ssl-conservatory/raw/master/everything-you-wanted-to-know-about-openssl.pdf. Jeff > Le 27/10/2012 21:00, Jeffrey Walton a écrit : > >> On Sat, Oct 27, 2012 at 11:00 AM, Alban D. wrote: >>> >>> Hi everyone, >>> >>> iSEC Partners just released a paper that provides detailed guidelines >>> and sample code on how to properly do certificate validation with >>> OpenSSL: >>> >>> http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html >>> >>> It is not trivial and so I thought this reference material could be >>> useful to people on this mailing list. >> >> ] int validate_hostname(char *hostname, X509 *server_cert) { >> ] int hostname_matched = HOSTNAME_VALIDATION_ERR; >> ] if((hostname == NULL) || (server_cert == NULL)) >> ] goto error; >> ] ... >> ] error: >> ] return hostname_matched; >> ] } >> You failed open rather than closed. Its not a good choice of >> strategies for high integrity software. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
Where's the failure here? hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in case of a NULL hostname or certificate it is returned by the function, unmodified. -- Erwann ABALEA Le 27/10/2012 21:00, Jeffrey Walton a écrit : On Sat, Oct 27, 2012 at 11:00 AM, Alban D. wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] int validate_hostname(char *hostname, X509 *server_cert) { ] int hostname_matched = HOSTNAME_VALIDATION_ERR; ] if((hostname == NULL) || (server_cert == NULL)) ] goto error; ] ... ] error: ] return hostname_matched; ] } You failed open rather than closed. Its not a good choice of strategies for high integrity software. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org