[krbdev.mit.edu #9198] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Mar 4 02:09:38 EST 2026
Wed Mar 04 02:09:38 2026: Request 9198 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson at mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9198 >
Use X509_check_host() to verify KKDCP server cert
In the k5tls module, rely on X509_check_host() and
X509_check_ip_asc(), which were added in OpenSSL 1.0.2, instead of
doing our own verification.
There is one notable difference in behavior: X509_check_host() admits
wildcards with a prefix or suffix (but not both) within the label,
like "kdc*.mydomain.com". The old code only allows a wildcard to
match a complete label.
https://github.com/krb5/krb5/commit/f5bbfa4821cf590a4748f96d0e016bc0485e95c4
Author: Greg Hudson <ghudson at mit.edu>
Commit: f5bbfa4821cf590a4748f96d0e016bc0485e95c4
Branch: master
src/plugins/tls/k5tls/openssl.c | 211 ++--------------------------------------
1 file changed, 6 insertions(+), 205 deletions(-)
More information about the krb5-bugs
mailing list