[17085] in Kerberos-V5-bugs
[krbdev.mit.edu #9198] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Mar 4 02:09:43 2026
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-3160078-1772608178-378.9198-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9198":;
Date: Wed, 04 Mar 2026 02:09:38 -0500
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Wed Mar 04 02:09:38 2026: Request 9198 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9198 >
Use X509_check_host() to verify KKDCP server cert
In the k5tls module, rely on X509_check_host() and
X509_check_ip_asc(), which were added in OpenSSL 1.0.2, instead of
doing our own verification.
There is one notable difference in behavior: X509_check_host() admits
wildcards with a prefix or suffix (but not both) within the label,
like "kdc*.mydomain.com". The old code only allows a wildcard to
match a complete label.
https://github.com/krb5/krb5/commit/f5bbfa4821cf590a4748f96d0e016bc0485e95c4
Author: Greg Hudson <ghudson@mit.edu>
Commit: f5bbfa4821cf590a4748f96d0e016bc0485e95c4
Branch: master
src/plugins/tls/k5tls/openssl.c | 211 ++--------------------------------------
1 file changed, 6 insertions(+), 205 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
