[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
The _gnutls_x509_verify_certificate fix
|
From: |
Tomas Mraz |
|
Subject: |
The _gnutls_x509_verify_certificate fix |
|
Date: |
Mon, 10 Nov 2008 14:47:16 +0100 |
Hello,
given the recent fix in the _gnutls_x509_verify_certificate I have been
looking at the function. I see there are currently some limitations in
it. For example it now doesn't allow verification of explicitely trusted
self-signed site certificate. Is there some other method how this could
be achieved? If not, then perhaps the test for the self-signed should be
performed only when clist_size > 1. Also the test for the clist_size
should be first test of the if().
The other limitation is that only the last certificate (after removing
eventual self-signed cert at the end of the chain) is checked against
the trusted list. That means you can not put just an intermediate CA
cert into the trusted list to be able to verify the chain.
What do you think of these limitations, should they be removed?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
- The _gnutls_x509_verify_certificate fix,
Tomas Mraz <=
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Nikos Mavrogiannopoulos, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/12