The _gnutls_x509_verify_certificate fix
simon at josefsson.org
Mon Nov 10 18:33:05 CET 2008
Tomas Mraz <tmraz at redhat.com> writes:
> given the recent fix in the _gnutls_x509_verify_certificate I have been
> looking at the function. I see there are currently some limitations in
> it. For example it now doesn't allow verification of explicitely trusted
> self-signed site certificate. Is there some other method how this could
> be achieved? If not, then perhaps the test for the self-signed should be
> performed only when clist_size > 1. Also the test for the clist_size
> should be first test of the if().
> The other limitation is that only the last certificate (after removing
> eventual self-signed cert at the end of the chain) is checked against
> the trusted list. That means you can not put just an intermediate CA
> cert into the trusted list to be able to verify the chain.
> What do you think of these limitations, should they be removed?
Hi. Thanks for looking at the code. Yes, I would agree that both
situations should be permitted, and consequently that the limitations
should be removed.
More information about the Gnutls-devel