Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly

[Richard Moore <rich () westpoint ltd uk>]

On 04/09/2010 14:37, Joe Orton wrote:
> On Fri, Sep 03, 2010 at 06:20:49PM +0200, Jan Lieskovsky wrote:
> >    1, Network Security Services (NSS) handled wildcard (*) character
> >       in the Common Name field of a x509v3 digital certificate.
> >       If an attacker is able to get a carefully-crafted certificate,
> >       signed by a Certificate Authority trusted by Firefox, the attacker
> >       could use the certificate during the man-in-the-middle attack and
> >       potentially confuse Firefox into accepting it by mistake. Different
> >       vulnerability than CVE-2009-2408.
>
> I would suspect that many of the usual raft of OpenSSL-based apps with
> hand-crafted cert identity checks will be vulnerable to this too, where
> wildcard certs are supported.

We did try some other openssl based apps but most had either no
wildcard support, no real CN validation, or wildcard support that
use the old-style shell-globs which is much worse anyway. Unlike NSS
openssl doesn't provide a function for performing CN validation
which means that apps have generally rolled their own (poor)
implementations.

Cheers

Rich.

> Regards, Joe


--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031