Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989

Andreas Metzler ametzler at
Mon Nov 10 19:15:04 CET 2008

On 2008-11-10 Martin von Gagern <Martin.vGagern at> wrote:
> This is an analysis fo the GNU TLS vulnerability recently published as
> GNUTLS-SA-2008-3 and CVE-2008-4989.

> I found a bug in GNU TLS which breaks X.509 certificate chain
> verification. This allows a man in the middle to assume any name and
> trick GNU TLS clients into trusting that name.

This seems to apply to every recent gnutls version (at least even
1.4.4 shows the same output. Can you confirm that?

cu and- not trusting myself currently -reas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list