Where's the failure here?
hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization,
and in case of a NULL hostname or certificate it is returned by the
function, unmodified.
--
Erwann ABALEA
Le 27/10/2012 21:00, Jeffrey Walton a écrit :
On Sat, Oct 27, 2012 at 11:00 AM, Alban D. <blan...@gmail.com> wrote:
Hi everyone,
iSEC Partners just released a paper that provides detailed guidelines
and sample code on how to properly do certificate validation with
OpenSSL:
http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html
It is not trivial and so I thought this reference material could be
useful to people on this mailing list.
] int validate_hostname(char *hostname, X509 *server_cert) {
] int hostname_matched = HOSTNAME_VALIDATION_ERR;
] if((hostname == NULL) || (server_cert == NULL))
] goto error;
] ...
] error:
] return hostname_matched;
] }
You failed open rather than closed. Its not a good choice of
strategies for high integrity software.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
