[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The _gnutls_x509_verify_certificate fix
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: The _gnutls_x509_verify_certificate fix |
Date: |
Mon, 10 Nov 2008 21:04:52 +0100 |
On Mon, Nov 10, 2008 at 2:47 PM, Tomas Mraz <address@hidden> wrote:
> Hello,
> given the recent fix in the _gnutls_x509_verify_certificate I have been
> looking at the function. I see there are currently some limitations in
> it. For example it now doesn't allow verification of explicitely trusted
> self-signed site certificate. Is there some other method how this could
> be achieved?
You can achieve it by associating an address of a website with the
keyid of the given
certificate. This is more generic of trusting a self-signed
certificate. You can trust any
certificate first presented when accessing a website that way (ssh security).
> The other limitation is that only the last certificate (after removing
> eventual self-signed cert at the end of the chain) is checked against
> the trusted list. That means you can not put just an intermediate CA
> cert into the trusted list to be able to verify the chain.
Indeed this algorithm is primitive. The idea was to allow applications
to override it
with custom-made advanced verification, but under with the current bug
discovered in
a "simple" algorithm I no longer think this is a good idea. Probably a
more advanced
verification subsystem should exist with enough hooks so applications
could get detailed
information about the verification[0].
However something like this is not in my near-future plans. We would
be happy to receive,
review and add patches for this functionality though.
[0]. the whole idea of having a simplified verification algorithm in
gnutls was because I
thought that application would want to present detailed information to
the client (where the
verification failed etc).
regards,
Nikos
- The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix,
Nikos Mavrogiannopoulos <=
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/12
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/12
Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik, 2008/11/10