[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The _gnutls_x509_verify_certificate fix
From: |
Simon Josefsson |
Subject: |
Re: The _gnutls_x509_verify_certificate fix |
Date: |
Mon, 10 Nov 2008 18:33:05 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) |
Tomas Mraz <address@hidden> writes:
> Hello,
>
> given the recent fix in the _gnutls_x509_verify_certificate I have been
> looking at the function. I see there are currently some limitations in
> it. For example it now doesn't allow verification of explicitely trusted
> self-signed site certificate. Is there some other method how this could
> be achieved? If not, then perhaps the test for the self-signed should be
> performed only when clist_size > 1. Also the test for the clist_size
> should be first test of the if().
>
> The other limitation is that only the last certificate (after removing
> eventual self-signed cert at the end of the chain) is checked against
> the trusted list. That means you can not put just an intermediate CA
> cert into the trusted list to be able to verify the chain.
>
> What do you think of these limitations, should they be removed?
Hi. Thanks for looking at the code. Yes, I would agree that both
situations should be permitted, and consequently that the limitations
should be removed.
/Simon
- The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix,
Simon Josefsson <=
- Re: The _gnutls_x509_verify_certificate fix, Nikos Mavrogiannopoulos, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/12
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/12