Message30387
Logged In: YES
user_id=21627
The bug is not in the the server() and issuer() methods
(which do exactly what they are meant to do); the bug is in
applications which assume that the result of these methods
can be parsed. As you point out, it cannot. The functions,
as is, don't present a security problem. If their result is
presented as-is to the user, the user can determine herself
whether she recognizes the entity referred-to in the
distinguished name.
Notice that it is certainly possible to produce an
unambigous string representation of a distinguished name;
RFC 4514 specifies an algorithm to do so (for use within LDAP).
Also notice that that the SSL module does little to actually
support trust: there is no verification of server-side
certs, no access to extensions of a certificate, etc. So an
application and a user should *not* trust the issuer name it
received, anyway (unless
there is an independent verification that the server
certificate can be trusted).
All that said: If you think you need this functionality,
please provide a patch to implement it. |
|
Date |
User |
Action |
Args |
2007-08-23 14:49:07 | admin | link | issue1583946 messages |
2007-08-23 14:49:07 | admin | create | |
|