The _gnutls_x509_verify_certificate fix

Tomas Mraz tmraz at
Mon Nov 10 14:47:16 CET 2008


given the recent fix in the _gnutls_x509_verify_certificate I have been
looking at the function. I see there are currently some limitations in
it. For example it now doesn't allow verification of explicitely trusted
self-signed site certificate. Is there some other method how this could
be achieved? If not, then perhaps the test for the self-signed should be
performed only when clist_size > 1. Also the test for the clist_size
should be first test of the if().

The other limitation is that only the last certificate (after removing
eventual self-signed cert at the end of the chain) is checked against
the trusted list. That means you can not put just an intermediate CA
cert into the trusted list to be able to verify the chain.

What do you think of these limitations, should they be removed?
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the Gnutls-devel mailing list