issues with OpenPGP certificate verification
simon at josefsson.org
Mon Apr 28 20:01:45 CEST 2008
Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> Daniel Kahn Gillmor wrote:
>> Hey Folks--
>> I just opened a couple tickets concerning what appear to be serious
>> problems with GnuTLS's OpenPGP certificate verification:
>> * gnutls-cli continues connection when certificate User ID does not
>> match hostname (even without --insecure):
>> This is equivalent to accepting a valid TLS certificate from
>> https://evil.com/ even though the connection was made to
> Currently gnutls-cli prints:
> # The hostname in the key does NOT match 'goodsite'.
> However it seems that gnutls-cli is not any more a debugging tool. So
> it is a valid request to fail if the hostname doesn't match. (This
> also doesn't happen in the X.509 certificate case)... Simon could
> there be any issue with this change and gnus that use it?
No, changing this would be good. If it causes failures for some people,
it probably does that for a reason, and they should investigate it.
More information about the Gnutls-devel