Re: Remove artificial constraint in _gnutls_x509_verify

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove artificial constraint in _gnutls_x509_verify_certificate

From:	Nikos Mavrogiannopoulos
Subject:	Re: Remove artificial constraint in _gnutls_x509_verify_certificate
Date:	Sun, 07 Mar 2010 10:35:03 +0100
User-agent:	Thunderbird 2.0.0.23 (X11/20090817)

Tomas Mraz wrote:
> On Tue, 2010-03-02 at 22:34 +0100, Nikos Mavrogiannopoulos wrote: 
>> Tomas Mraz wrote:
>>> Hi,
>>> I was examining the current _gnutls_x509_verify_certificate() code and I
>>> found that the code does not allow unconditionally accepting the site
>>> certificate if it is on the trust list. I think that this is unnecessary
>>> restriction which should be removed.
>> Please elaborate. What is the scenario that wasn't working before and
>> you believe you fixed with this patch?
> 
> For example when the site certificate is expired and/or uses unsafe
> algorithm for its signature and you put it on the trusted list on client
> to alleviate the problem.

Hi,
 Sorry for the late reply but needed to find some time to check the
verification process carefully. Indeed your suggestion makes sense and
doesn't seem to have side-effects. I've commited it.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

Remove artificial constraint in _gnutls_x509_verify_certificate, Tomas Mraz, 2010/03/02
- Re: Remove artificial constraint in _gnutls_x509_verify_certificate, Nikos Mavrogiannopoulos, 2010/03/02
  - Re: Remove artificial constraint in _gnutls_x509_verify_certificate, Tomas Mraz, 2010/03/03
    - Re: Remove artificial constraint in _gnutls_x509_verify_certificate, Nikos Mavrogiannopoulos <=

Prev by Date: Re: Another renegotiation patch
Next by Date: GNU TLS 2.9.9 , sign/hash extension support
Previous by thread: Re: Remove artificial constraint in _gnutls_x509_verify_certificate
Next by thread: Re: Another renegotiation patch
Index(es):
- Date
- Thread