fgatwork at verizon.net
Wed Sep 9 22:01:37 CDT 2009
On Tue, 2009-09-08 at 16:33 -0700, Juan Lang wrote:
> Hi Frank,
> On Tue, Sep 8, 2009 at 4:15 PM, Frank Gruman<fgatwork at verizon.net> wrote:
> > Looking at chain.c, line 1886-1902 I can see the switch-case statement
> > where this would have been handled. The problem I ran into while trying
> > to keep up with the code was figuring out what the verify_* methods are
> > trying to do.
> > I'd really like to see this work and may have some spare cycles to help
> > out. The problem is that I don't understand everything happening in
> > these methods - can I get some pointers to what is happening or what
> > should happen in the yet to be created verify_ssl_policy() method?
> The short answer is, if you don't care about the validity of the
> certificates you're trying to connect to, you can hack this function
> to return TRUE rather than FALSE. This is an awful hack, however, and
> can't be accepted into the Wine tree, but if all you care about is to
> get the darn thing to work, it might be enough for you.
> The longer answer is the generic Wine answer: what should happen is
> whatever Windows does. To find out what Windows does, you need to
> write tests for it. Have a look at dlls/crypt32/tests/chain.c for a
> start. You'll want to mimic the existing tests, and try with
> different SSL_EXTRA_CERT_CHAIN_POLICY_PARA values.
> Since that's not very specific, here's a slightly more directed
> answer: the as-yet-unwritten verify_ssl_policy() should call
> verify_base_policy() first. If it succeeds, it should verify that the
> certificate matches the intended use. At a minimum, if the
> SSL_EXTRA_CERT_CHAIN_POLICY_PARA is specified, you need to verify that
> its pwszServerName matches the subject name in the certificate. Be
> careful not to introduce the embedded NULL character vulnerability
> (see e.g. CVE-2009-2417.) There are probably more checks needed,
> either in verify_base_policy or in verify_ssl_policy, e.g. checking
> the key usage extension. RFC3280 is a good guide for the kinds of
> checks that need to be done.
> Intimidated yet? That's why I haven't gotten around to it myself:
> it's not a quick fix, and I haven't had a lot of free time. But if
> you have the time to do it right, by all means have a go!
Only slightly daunted. But I will give it a go. It won't be over
night, but I think I can, I think I can, I think I can...
Thanks for the pointers on where to look and start.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wine-devel