Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Thorsten Glaser <tg-vpiyNrvJqjezQB+pC5nmwQ <at> public.gmane.org>
Subject: Regarding: Null Prefix Attacks Against SSL Certificates
Newsgroups: gmane.comp.web.lynx.devel
Date: Wednesday 5th August 2009 10:11:26 UTC (over 8 years ago)
Hi,

please update your report to state that Lynx does not need to be patched
since it already handles this gracefully:

┌──┤ interactive warning in the status line
│SSL
error:host(spamfilter2.tarent.de)!=cert(CN<*\x00.secureconnection.cc>)-Continue?
(y)
└

┌──┤ message log excerpt
│8. Secure 256-bit TLSv1/SSLv3 (DHE-RSA-AES256-SHA) HTTP connection
│7. Certificate issued by: /C=ES/ST=Barcelona/L=Barcelona/O=IPS
Certification Authority
s.l./O=general-Jk1EWY3BbPUAvxtiuMwx3w@public.gmane.org C.I.F.
B-B62210695/OU=ipsCA CLASEA1 Certification Authority/CN=ipsCA CLASEA1
Certification
Authority/emailAddress=general-Jk1EWY3BbPUAvxtiuMwx3w@public.gmane.org
│6. UNVERIFIED connection to spamfilter2.tarent.de
(cert=CN<*\x00.secureconnection.cc>)
└─

The ‘\x00’ is just not converted into a NUL byte. ‘*’ matching
fails
since the host connected to doesn’t match either (a ‘\’ is invalid
in a hostname).

Sometimes, KISS pays off ☺

Tested on: MirOS httpd (MirOS #10semel), Lynx 2.8.7dev.8-MirOS
built with OpenSSL (someone on GNU/Linux should test this with
their GnuTLS crapware). I expect Lynx 2.8.7rel.1 (the current
release) to behave the same (in fact, updating Lynx in base is
next thing on my TODO).

bye,
//mirabilos
-- 
  "Using Lynx is like wearing a really good pair of shades: cuts out
   the glare and harmful UV (ultra-vanity), and you feel so-o-o COOL."
                                         -- Henry Nelson, March 1999
 
CD: 3ms