Opened 10 years ago
Closed 10 years ago
Last modified 9 years ago
#468 closed defect (worksforme)
X509_NAME_oneline and strings
|Reported by:||Jeffrey Walton||Owned by:|
|Keywords:||openssl certifcate validation||Cc:|
$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64
$ objs/nginx -V
nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --with-http_ssl_module
X509_NAME_oneline does not handle embedded NULLs properly (among other issues). From the OpenSSL docs (https://www.openssl.org/docs/crypto/X509_NAME_print_ex.html): "The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications."
The attacks have been used in practice. "More Tricks For Defeating SSL In Practice", https://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf.
Change History (2)
comment:1 by , 10 years ago
|Status:||new → closed|
comment:2 by , 9 years ago
... it's just a question how do you define "properly".
Interesting, but looks unrelated. And, BTW, X509_NAME_oneline() handles NULLs, it's just a question how do you define "properly".