httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Fwd: [users@httpd] SSLRequire & UTF-8 characters
Date Sun, 19 Dec 2010 21:22:19 GMT
On Sunday 19 December 2010, Dr Stephen Henson wrote:
> On 29/11/2010 19:34, Dr Stephen Henson wrote:
> > You can get a UTF8String from most string types using
> > ASN1_STRING_to_UTF8(). This should be adequate for most
> > purposes: it doesn't handle the more bizarre TeletexString shift
> > conversions but those are rarely encountered in practice.
> 
> I should have also included a note of warning about
> ASN1_STRING_to_UTF8(). You cannot safely assume that the result
> will be a null terminated string as many ASN1 string types can
> include embedded nulls: this can have security implications in
> some cases.

You mean someone could make a certificate with a CN of 
foo.apache.org\0evil.com but the CN variable would then only contain 
foo.apache.org? I think we can safely assume that any certificate that 
contains an embedded null after converting to UTF8 is malicious. Can 
we reject such certificates somehow? Should we close the connection if 
we see such a thing in ssl_var_lookup_ssl_cert? Or should we try to 
escape the 0-byte in the variable?

Mime
View raw message