cURL / Mailing Lists / curl-library / Single Mail

curl-library

[ curl-Bugs-2829955 ] Wildcard cert name checking and null termination (fwd)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 31 Jul 2009 10:09:14 +0200 (CEST)

Hi friends,

I'm especially forwarding this from the tracker to get some more eyeballs on
this issue:

https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2829955&group_id=976

"There's a new wildcard cert attack made public here:
http://www.theregister.co.uk/2009/07/30/universal_ssl_certificate/

   I took a pass over the name matching code, and unless something in openssl
   or the code that gets at the subject names is somehow immune, the matching
   logic seems to be vulnerable. If not, feel free to close."

I'll get on on the case soon as well, but feel encouraged to join in and help!
Received on 2009-07-31

This message: [ Message body ]
Next message: Patrick Monnerat: "RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and null termination(fwd)"
Previous message: Daniel Stenberg: "Re: Doesn't fwrite() return the number of objects written, not the number of bytes?"
Next in thread: Patrick Monnerat: "RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and null termination(fwd)"
Reply: Patrick Monnerat: "RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and null termination(fwd)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]