help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking

From: Sam Varshavchik
Subject: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users
Date: Mon, 07 May 2012 07:06:52 -0400 
Nikos Mavrogiannopoulos writes:


The initial idea was that applications know which certificates to
trust, or which CAs to trust. For example I might trust verisign for
web browsing but only my local CA for smtp.

I still believe in the above, but for several applications it seems
it may not make sense. Currently I like the part of the patch of Ludwig
that introduces a gnutls_certificate_set_x509_system_trust(), but it
doesn't set any defaults (because there don't exist in all systems).
For that I'd like more input from the library users here. Are there
standard practices in Linux distributions and other POSIX systems that
would allow to deduce that there is a common trusted certificate bundle?
Debian installs /etc/ssl/certs/ca-certificates.crt. Fedora, and its derivations, (Red Hat, Cent-OS) have /etc/pki/tls/cert.pem installed. 
FreeBSD has /usr/local/share/certs/ca-root-nss.crt
The standard practice on Fedora is to have applications configured or patched to use its default /etc/pki/tls/cert.pem certificate bundle.

Attachment: pgpHMZeDW_P0O.pgp
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]