RFC2818 checks for axTLS #45

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
3 participants
Contributor

okoeroo commented Nov 3, 2012

Adding RFC2818 compliance checks to axTLS.

Completely new are the SubjectAltName checks. The peer CN field fallback is implemented mimicking the OpenSSL behaviour. A setting of VERIFYHOST 0 or 1 is equal to each other and only effects the behaviour of the peer certificates most significants CN field checking.

To implement a proper hostname matching rule with wildcard support, I've taken the liberty to do a one-to-one copy of the static hostcheck function from the OpenSSL backend as new static functions in axTLS.

@okoeroo okoeroo Adding RFC2818 compliance checks to axTLS. Completely new are the Sub…
…jectAltName checks. The peer CN field fallback is implemented matching the OpenSSL behaviour. VERIFYHOST 0 == 1.
1bc4e22

okoeroo closed this Nov 3, 2012

Hi there, I'm the developer of axTLS. Could you give me a patch of the work you've done here? I'll see if I can port the changes in.

Owner

bagder commented Jan 7, 2013

Hi, the patch for the above commit can be found here: https://github.com/okoeroo/curl/commit/1bc4e229dd508cb31025f3151d8b0b2a2b87e249.patch

You'll see that it uses existing host check functions present in libcurl. The current curl git version is slightly modified since that commit.

Contributor

okoeroo commented Jan 7, 2013

Hi,
I haven't touched to axTLS code, that is what you are asking. I've reused the hostname matching code already present in the OpenSSL backend for libcurl and reused it for hostname machine rules in the axTLS backend.

In the end I've implemented a crawl through the SubjectAltNames, and in case these are absent I grab the common name. I then match the host libcurl is connecting to with this information to make the check work.

To the best of my reading axTLS does not feature a function that does hostname matching with the certificate from the host. OpenSSL also doesn't feature such a function, GnuTLS does. With PolarSSL this check is implicit for example. Thus I don't expect a change in axTLS to be required.

Does this answer your question?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment