On Fri, 31 Jul 2009, Daniel Stenberg wrote:

> The problem is basically that some CAs have allowed zeroes in the name
> fields in certs, and the wildcard checking routines like those in libcurl,
> assume that the extracted host names are zero terminated and thus get
> tricked into verify this certificate for the wrong hosts.

Okay friends, here's my take at adressing this issue. It only applies to code
using OpenSSL.

We don't have any test case for this issue or even the legitimate wildcard
alternative name feature, so I would really appreciate some eyeballs on this
and if possible someone could test this with a local setup in case you
actually DO know of a site that uses things like this.

-- 
  / daniel.haxx.se