Release candidate of 2.6.3
Simon Josefsson
simon at josefsson.org
Wed Dec 10 16:07:30 CET 2008
We'll need to do another 2.6.x release, to make X.509 certificate chains
ending with RSA-MD2 CA's (i.e., one of VeriSign's CA's) validate
successfully again. I have prepared a daily build that incorporates
everything we want to release in 2.6.3, please test it now:
http://daily.josefsson.org/gnutls-2.6/gnutls-2.6-20081210.tar.gz
http://daily.josefsson.org/gnutls-2.6/gnutls-2.6-20081210.tar.gz.gpg
I've prepared patches against the two latest stable branches below.
/Simon
Patch against 2.6.2:
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 92ef722..00e2422 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -374,6 +374,24 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list,
int i = 0, ret;
unsigned int status = 0, output;
+ if (clist_size > 1)
+ {
+ /* Check if the last certificate in the path is self signed.
+ * In that case ignore it (a certificate is trusted only if it
+ * leads to a trusted party by us, not the server's).
+ *
+ * This in addition prevents from verifying self signed certificates
+ * against themselves. This although not bad caused verification
+ * failures on some root self signed certificates that use the MD2
+ * algorithm.
+ */
+ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+ certificate_list[clist_size - 1]) > 0)
+ {
+ clist_size--;
+ }
+ }
+
/* Verify the last certificate in the certificate path
* against the trusted CA certificate list.
*
Patch against 2.4.2:
--- gnutls-2.4.2/lib/x509/verify.c.orig 2008-12-10 16:05:39.000000000 +0100
+++ gnutls-2.4.2/lib/x509/verify.c 2008-12-10 16:05:41.000000000 +0100
@@ -376,6 +376,24 @@
int i = 0, ret;
unsigned int status = 0, output;
+ if (clist_size > 1)
+ {
+ /* Check if the last certificate in the path is self signed.
+ * In that case ignore it (a certificate is trusted only if it
+ * leads to a trusted party by us, not the server's).
+ *
+ * This in addition prevents from verifying self signed certificates
+ * against themselves. This although not bad caused verification
+ * failures on some root self signed certificates that use the MD2
+ * algorithm.
+ */
+ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
+ certificate_list[clist_size - 1]) > 0)
+ {
+ clist_size--;
+ }
+ }
+
/* Verify the last certificate in the certificate path
* against the trusted CA certificate list.
*
@@ -414,17 +432,6 @@
}
#endif
- /* Check if the last certificate in the path is self signed.
- * In that case ignore it (a certificate is trusted only if it
- * leads to a trusted party by us, not the server's).
- */
- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
- certificate_list[clist_size - 1]) > 0
- && clist_size > 0)
- {
- clist_size--;
- }
-
/* Verify the certificate path (chain)
*/
for (i = clist_size - 1; i > 0; i--)
More information about the Gnutls-devel
mailing list