Frank Gruman fgatwork at
Wed Sep 9 22:01:37 CDT 2009

On Tue, 2009-09-08 at 16:33 -0700, Juan Lang wrote:

> Hi Frank,
> On Tue, Sep 8, 2009 at 4:15 PM, Frank Gruman<fgatwork at> wrote:
> > Looking at chain.c, line 1886-1902 I can see the switch-case statement
> > where this would have been handled.  The problem I ran into while trying
> > to keep up with the code was figuring out what the verify_* methods are
> > trying to do.
> >
> > I'd really like to see this work and may have some spare cycles to help
> > out.  The problem is that I don't understand everything happening in
> > these methods - can I get some pointers to what is happening or what
> > should happen in the yet to be created verify_ssl_policy() method?
> The short answer is, if you don't care about the validity of the
> certificates you're trying to connect to, you can hack this function
> to return TRUE rather than FALSE.  This is an awful hack, however, and
> can't be accepted into the Wine tree, but if all you care about is to
> get the darn thing to work, it might be enough for you.
> The longer answer is the generic Wine answer:  what should happen is
> whatever Windows does.  To find out what Windows does, you need to
> write tests for it.  Have a look at dlls/crypt32/tests/chain.c for a
> start.  You'll want to mimic the existing tests, and try with
> Since that's not very specific, here's a slightly more directed
> answer:  the as-yet-unwritten verify_ssl_policy() should call
> verify_base_policy() first.  If it succeeds, it should verify that the
> certificate matches the intended use.  At a minimum, if the
> SSL_EXTRA_CERT_CHAIN_POLICY_PARA is specified, you need to verify that
> its pwszServerName matches the subject name in the certificate.  Be
> careful not to introduce the embedded NULL character vulnerability
> (see e.g. CVE-2009-2417.)  There are probably more checks needed,
> either in verify_base_policy or in verify_ssl_policy, e.g. checking
> the key usage extension.  RFC3280 is a good guide for the kinds of
> checks that need to be done.
> Intimidated yet?  That's why I haven't gotten around to it myself:
> it's not a quick fix, and I haven't had a lot of free time.  But if
> you have the time to do it right, by all means have a go!
> --Juan

Only slightly daunted.  But I will give it a go.  It won't be over
night, but I think I can, I think I can, I think I can...

Thanks for the pointers on where to look and start.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the wine-devel mailing list