cURL / Mailing Lists / curl-library / Single Mail


RE: [ curl-Bugs-2829955 ] Wildcard cert name checking and null termination(fwd)

From: Daniel Stenberg <>
Date: Fri, 31 Jul 2009 11:35:43 +0200 (CEST)

On Fri, 31 Jul 2009, Patrick Monnerat wrote:

> The links says:

Gah, yes it is hidden to private which I think is due to the security-related
nature of it. So do login to read the deails - not that there's a lot more
than I'll give away in this mail further below. I'll lift the private flag
from it as soon as we've given this some closer analysis.

But ok, if you read about the the documented flaw at and
elsewhere (apparently it popped up at the Black Hat conference going on or
whatever) you can probably quickly get an understanding for the problem. I've
also seen people in the NSS camp act on this. I have not seen what the GnuTLS
people do.

The problem is basically that some CAs have allowed zeroes in the name fields
in certs, and the wildcard checking routines like those in libcurl, assume
that the extracted host names are zero terminated and thus get tricked into
verify this certificate for the wrong hosts.

whoa, now I really have to get some "real work" done!

Received on 2009-07-31