[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The _gnutls_x509_verify_certificate fix
From: |
Simon Josefsson |
Subject: |
Re: The _gnutls_x509_verify_certificate fix |
Date: |
Tue, 11 Nov 2008 21:30:40 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux) |
Andreas Metzler <address@hidden> writes:
> Hello,
> So combining this one and the patch in advisory I would get:
> ----------------------
> --- /tmp/verify.c.origal 2008-11-11 18:46:43.000000000 +0000
> +++ lib/x509/verify.c 2008-11-11 18:48:08.000000000 +0000
> @@ -414,17 +414,6 @@
> }
> #endif
>
> - /* Check if the last certificate in the path is self signed.
> - * In that case ignore it (a certificate is trusted only if it
> - * leads to a trusted party by us, not the server's).
> - */
> - if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
> - certificate_list[clist_size - 1]) > 0
> - && clist_size > 0)
> - {
> - clist_size--;
> - }
> -
> /* Verify the certificate path (chain)
> */
> for (i = clist_size - 1; i > 0; i--)
> ----------------------
Yes.
> Applying this to 2.4.2 this does away with the crash, however it does
> not fix the advisory anymore. (The way to reproduce described in
> http://news.gmane.org/find-root.php?message_id=%3c4918143A.3050103%40gmx.net%3e
> works again.
Really? I think the patch should solve both the crash and the
advisory. Are you sure you used the right library?
> cu and- wondering when lists.gnu.org is accessible by SMTP again -reas
Mailing lists are @gnu.org, not @lists.gnu.org. I had to resend a few
messages that were sent to address@hidden for some reason.
Or have you seen any documentation that says @lists.gnu.org can be used?
/Simon
- The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Nikos Mavrogiannopoulos, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix,
Simon Josefsson <=
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/12
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/12
Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Werner Koch, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12