diff options
author | Emilia Kasper <emilia@openssl.org> | 2015-02-05 16:38:54 +0100 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2015-02-10 15:35:20 +0100 |
commit | 0923e7df9eafec6db9c75405d7085ec8581f01bd (patch) | |
tree | 11b45d8564c5886867afd633ea04d3e6b56737aa /doc | |
parent | efb4597345a0ae31ac81f9dfb783f3eef420122b (diff) |
Fix hostname validation in the command-line tool to honour negative return values.
Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
and result in a negative return value, which the "x509 -checkhost" command-line option
incorrectly interpreted as success.
Also update X509_check_host docs to reflect reality.
Thanks to Sean Burford (Google) for reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/crypto/X509_check_host.pod | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod index f8b530df9b..0def17aac1 100644 --- a/doc/crypto/X509_check_host.pod +++ b/doc/crypto/X509_check_host.pod @@ -109,9 +109,12 @@ but would not match a peer certificate with a DNS name of =head1 RETURN VALUES The functions return 1 for a successful match, 0 for a failed match -and -1 for an internal error: typically a memory allocation failure. +and -1 for an internal error: typically a memory allocation failure +or an ASN.1 decoding error. -X509_check_ip_asc() can also return -2 if the IP address string is malformed. +All functions can also return -2 if the input is malformed. For example, +X509_check_host() returns -2 if the provided B<name> contains embedded +NULs. =head1 NOTES |