[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The _gnutls_x509_verify_certificate fix
From: |
Werner Koch |
Subject: |
Re: The _gnutls_x509_verify_certificate fix |
Date: |
Tue, 11 Nov 2008 12:09:01 +0100 |
User-agent: |
Gnus/5.110007 (No Gnus v0.7) |
On Tue, 11 Nov 2008 02:35, address@hidden said:
> 1) The first certificate must be one of your trusted certs
>
> 2) Each one of the following certificates must be signed by the
> previous one, ending with the peer's certificate
And there are dozens of other constraints you have to obey when doing an
X.509 certificate chain verification.
A simple I recently wrote is in dirmngr/src/validate.c which is about
1100 lines. However the code may not be suitable for DoS affected
scenarios.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
- Re: The _gnutls_x509_verify_certificate fix, (continued)
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/12
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/12
Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix,
Werner Koch <=
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/12