Bug#1070033: libgnutls30: rejects numeric IPv6 addresses during connection
Andreas Metzler
ametzler at bebt.de
Sat May 18 05:55:06 BST 2024
On 2024-05-17 Elliott Mitchell <ehem+debian at m5p.com> wrote:
> On Thu, May 16, 2024 at 07:06:49PM -0700, Elliott Mitchell wrote:
> > On Tue, May 14, 2024 at 06:22:09PM +0200, Andreas Metzler wrote:
[...]
> > > Could you please post the requested output, although there are no
> > > obvious clues there to your eyes?
> >
> > Problem is that provides rather a lot of data about this network setup.
> > The quantity of information is enough for me to be rather uncomfortable
> > with providing it via public channel.
[...]
> > I notice the `_gnutls_dnsname_is_valid()` function in
> > gnutls28-3.8.5/lib/str.h accepts IPv4 addresses (which are NOT valid in
> > DNS), but rejects IPv6 addresses.
Hello,
At a very bare level an IPv4 address is a valid DNS name (alnum, dashes,
and dots), an IPv6 adress is not. That is what gnutls is checking here.
Afaict it is a short-cut to save more expensive processing for obvious
errors. gnutls_session_get_verify_cert_status() (with
gnutls_session_set_verify_cert() set correctly) or
gnutls_x509_crt_check_hostname()/gnutls_certificate_verify_peers3()
does more elaborate stuff on the data,
gnutls_certificate_verify_peers2() requires a separate
gnutls_x509_crt_check_hostname().
cu Andreas
More information about the Pkg-gnutls-maint
mailing list