Author christian.heimes
Recipients barry, christian.heimes, vstinner
Date 2013-08-12.13:14:14
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1376313254.64.0.104436386224.issue18709@psf.upfronthosting.co.za>
In-reply-to
Content
OpenSSL's print() functions fail to handle the NULL byte in subjectAltName (SAN) general names as they use strlen() or printf() functions with "%s" format char. The subject and issuer elements with NULL bytes are handled correctly by OpenSSL.

wget and curl combine CN / SAN parsing and hostname matching in one function. Both report an error when they see a NULL byte in a dNSName (strlen(dNSName) != lengtt of ASN1_STRING).

Python has separate functions for retrieving the X.509 information and matching a hostname against CN / SAN. I like to keep it that way and just for our parsing code in this bug. Latter ssl.match_hostname() can check for NULL bytes and raise an exception, but that's a different issue.
History
Date User Action Args
2013-08-12 13:14:14christian.heimessetrecipients: + christian.heimes, barry, vstinner
2013-08-12 13:14:14christian.heimessetmessageid: <1376313254.64.0.104436386224.issue18709@psf.upfronthosting.co.za>
2013-08-12 13:14:14christian.heimeslinkissue18709 messages
2013-08-12 13:14:14christian.heimescreate