oss-sec mailing list archives

Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug

From: Steffen Ullrich <Steffen_Ullrich () genua de>
Date: Mon, 31 Aug 2009 21:28:34 +0200


I ran some test on Net-SSLeay-1.35 and IO-Socket-SSL-1.30 and
verify_hostname always returned error for NUL in both CN and SAN.


I just verified it for CN using the \0 certificate from sslsniff.
So it looks like it's not an issue for Net::SSLeay and IO::Socket::SSL.

Regards,
Steffen

-- 
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999

Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238

Current thread:

CVE request: perl-IO-Socket-SSL certificate hostname compare bug Ludwig Nussel (Aug 28)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)
  - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steven M. Christey (Aug 31)