Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3]

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3]

From:	Nikos Mavrogiannopoulos
Subject:	Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]
Date:	Sun, 17 Jan 2010 10:37:31 +0100
User-agent:	Thunderbird 2.0.0.23 (X11/20090817)

Andreas Metzler wrote:
> Ping?
[...]
>> this test does not work for me with any version of gnutls. There is no
>> "error: certificate has expired" or even "Peer's certificate chain
>> uses expired certificate".

I checked it and it seems that the verification code will stop once a
certificate in the chain is found invalid (that was added to counter
some denial of service attacks). Here gnutls-cli cannot verify the CA
certificate thus stops there and does not move forward to check time for
the actual certificate.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417], Andreas Metzler, 2010/01/09
- Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417], Andreas Metzler, 2010/01/17
  - Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417], Nikos Mavrogiannopoulos <=
    - Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417], Andreas Metzler, 2010/01/17

Prev by Date: Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]
Next by Date: Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]
Previous by thread: Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]
Next by thread: Re: Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417]
Index(es):
- Date
- Thread